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CIRCULAR  NO.  A-130 
Revised 

(Transmittal  Memorandum  No.  3) 


MEMORANDUM  FOR  HEADS  OF  EXECUTIVE  DEPARTMENTS  AND  ESTABLISHMENTS 
SUBJECT:  Management  of  Federal  Information  Resources 

1.  Purpose:  This  Circular  establishes  policy  for  the  management  of  Federal 
information  resources.  Procedural  and  analytic  guidelines  for  implementing 
specific  aspects  of  these  policies  are  included  as  appendices. 

2.  Rescissions:  This  Circular  rescinds  OMB  Circulars  No.  A-3,  A-71,  A-90, 
A-108,  A-114,  and  A-121,  and  all  Transmittal  Memoranda  to  those  circulars. 

3.  Authorities:  This  Circular  is  issued  pursuant  to  the  Paperwork 
Reduction  Act  (PRA)  of  1980,  as  amended  by  the  Paperwork  Reduction  Act  of  1995 
(44  U.S.C.  Chapter  35);  the  Privacy  Act,  as  amended  (5  U.S.C.  552a);  the  Chief 
Financial  Officers  Act  (31  U.S.C.  3512  et  seq.);  the  Federal  Property  and 
Administrative  Services  Act,  as  amended  (40  U.S.C.  759  and  487);  the  Computer 
Security  Act  (40  U.S.C.  759  note);  the  Budget  and  Accounting  Act,  as  amended 
(31  U.S.C.  Chapter  11);  Executive  Order  No.  12046  of  March  27,  1978;  and 
Executive  Order  No.  12472  of  April  3,  1984. 

4.  Applicability  and  Scope: 

a.  The  policies  in  this  Circular  apply  to  the  information  activities  of 
all  agencies  of  the  executive  branch  of  the  Federal  government. 

b.  Information  classified  for  national  security  purposes  should  also  be 
handled  in  accordance  with  the  appropriate  national  security  directives. 
National  security  emergency  preparedness  activities  should  be  conducted  in 
accordance  with  Executive  Order  No.  12472. 

5.  Background:  The  Paperwork  Reduction  Act  establishes  a  broad  mandate  for 
agencies  to  perform  their  information  resources  management  activities  in  an 
efficient,  effective,  and  economical  manner.  To  assist  agencies  in  an 
integrated  approach  to  information  resources  management,  the  Act  requires  that 
the  Director  of  OMB  develop  and  implement  uniform  and  consistent  information 
resources  management  policies;  oversee  the  development  and  promote  the  use  of 
information  management  principles,  standards,  and  guidelines;  evaluate  agency 
information  resources  management  practices  in  order  to  determine  their 
adequacy  and  efficiency;  and  determine  compliance  of  such  practices  with  the 
policies,  principles,  standards,  and  guidelines  promulgated  by  the  Director. 

6.  Definitions: 

a.  The  term  "agency"  means  any  executive  department,  military  department, 
government  corporation,  government  controlled  corporation,  or  other 
establishment  in  the  executive  branch  of  the  Federal  government,  or  any 
independent  regulatory  agency.  Within  the  Executive  Office  of  the  President, 
the  term  includes  only  OMB  and  the  Office  of  Administration. 

b.  The  term  "audiovisual  production"  means  a  unified  presentation, 
developed  according  to  a  plan  or  script,  containing  visual  imagery,  sound  or 


both,  and  used  to  convey  information. 


c.  The  term  "dissemination"  means  the  government  initiated  distribution  of 
information  to  the  public.  Not  considered  dissemination  within  the  meaning  of 
this  Circular  is  distribution  limited  to  government  employees  or  agency 
contractors  or  grantees,  intra-  or  inter-agency  use  or  sharing  of  government 
information,  and  responses  to  requests  for  agency  records  under  the  Freedom  of 
Information  Act  (5  U.S.C.  552)  or  Privacy  Act. 

d.  The  term  "full  costs,"  when  applied  to  the  expenses  incurred  in  the 
operation  of  an  information  processing  service  organization  (IPSO),  is 
comprised  of  all  direct,  indirect,  general,  and  administrative  costs  incurred 
in  the  operation  of  an  IPSO.  These  costs  include,  but  are  not  limited  to, 
personnel,  equipment,  software,  supplies,  contracted  services  from  private 
sector  providers,  space  occupancy,  intra-agency  services  from  within  the 
agency,  inter-agency  services  from  other  Federal  agencies,  other  services  that 
are  provided  by  State  and  local  governments,  and  Judicial  and  Legislative 
branch  organizations. 

e.  The  term  "government  information"  means  information  created,  collected, 
processed,  disseminated,  or  disposed  of  by  or  for  the  Federal  Government. 

f.  The  term  "government  publication"  means  information  which  is  published 
as  an  individual  document  at  government  expense,  or  as  required  by  law.  (44 
U.S.C.  1901) 

g.  The  term  "information"  means  any  communication  or  representation  of 
knowledge  such  as  facts,  data,  or  opinions  in  any  medium  or  form,  including 
textual,  numerical,  graphic,  cartographic,  narrative,  or  audiovisual  forms. 

h.  The  term  "information  dissemination  product"  means  any  book,  paper, 
map,  machine-readable  material,  audiovisual  production,  or  other  documentary 
material,  regardless  of  physical  form  or  characteristic,  disseminated  by  an 
agency  to  the  public. 

i.  The  term  "information  life  cycle"  means  the  stages  through  which 
information  passes,  typically  characterized  as  creation  or  collection, 
processing,  dissemination,  use,  storage,  and  disposition. 

j.  The  term  "information  management"  means  the  planning,  budgeting, 
manipulating,  and  controlling  of  information  throughout  its  life  cycle. 

k.  The  term  "information  resources"  includes  both  government  information 
and  information  technology. 

l.  The  term  "information  processing  services  organization"  (IPSO)  means  a 
discrete  set  of  personnel,  information  technology,  and  support  equipment  with 
the  primary  function  of  providing  services  to  more  than  one  agency  on  a 
reimbursable  basis. 

m.  The  term  "information  resources  management"  means  the  process  of 
managing  information  resources  to  accomplish  agency  missions.  The  term 
encompasses  both  information  itself  and  the  related  resources,  such  as 
personnel,  equipment,  funds,  and  information  technology. 

n.  The  term  "information  system"  means  a  discrete  set  of  information 
resources  organized  for  the  collection,  processing,  maintenance,  transmission. 


and  dissemination  of  information,  in  accordance  with  defined  procedures, 
whether  automated  or  manual. 

o.  The  term  "information  system  life  cycle"  means  the  phases  through  which 
an  information  system  passes,  typically  characterized  as  initiation, 
development,  operation,  and  termination. 

p.  The  term  "information  technology"  means  the  hardware  and  software 
operated  by  a  Federal  agency  or  by  a  contractor  of  a  Federal  agency  or  other 
organization  that  processes  information  on  behalf  of  the  Federal  government  to 
accomplish  a  Federal  function,  regardless  of  the  technology  involved,  whether 
computers,  telecommunications,  or  others.  It  includes  automatic  data 
processing  equipment  as  that  term  is  defined  in  Section  111(a) (2)  of  the 
Federal  Property  and  Administrative  Services  Act  of  1949.  For  the  purposes  of 
this  Circular,  automatic  data  processing  and  telecommunications  activities 
related  to  certain  critical  national  security  missions,  as  defined  in  44 
U.S.C.  3502(2)  and  10  U.S.C.  2315,  are  excluded. 

q.  The  term  "major  information  system"  means  an  information  system  that 
requires  special  management  attention  because  of  its  importance  to  an  agency 
mission;  its  high  development,  operating,  or  maintenance  costs;  or  its 
significant  role  in  the  administration  of  agency  programs,  finances,  property, 
or  other  resources. 

r.  The  term  "records"  means  all  books,  papers,  maps,  photographs, 
machine-readable  materials,  or  other  documentary  materials,  regardless  of 
physical  form  or  characteristics,  made  or  received  by  an  agency  of  the  United 
States  Government  under  Federal  law  or  in  connection  with  the  transaction  of 
public  business  and  preserved  or  appropriate  for  preservation  by  that  agency 
or  its  legitimate  successor  as  evidence  of  the  organization,  functions, 
policies,  decisions,  procedures,  operations,  or  other  activities  of  the 
government  or  because  of  the  informational  value  of  the  data  in  them.  Library 
and  museum  material  made  or  acquired  and  preserved  solely  for  reference  or 
exhibition  purposes,  extra  copies  of  documents  preserved  only  for  convenience 
of  reference,  and  stocks  of  publications  and  of  processed  documents  are  not 
included.  (44  U.S.C.  3301) 

s.  The  term  "records  management"  means  the  planning,  controlling, 
directing,  organizing,  training,  promoting,  and  other  managerial  activities 
involved  with  respect  to  records  creation,  records  maintenance  and  use,  and 
records  disposition  in  order  to  achieve  adequate  and  proper  documentation  of 
the  policies  and  transactions  of  the  Federal  Government  and  effective  and 
economical  management  of  agency  operations.  (44  U.S.C.  2901(2)) 

t.  The  term  "service  recipient"  means  an  agency  organizational  unit, 
programmatic  entity,  or  chargeable  account  that  receives  information 
processing  services  from  an  information  processing  service  organization 
(IPSO) .  A  service  recipient  may  be  either  internal  or  external  to  the 
organization  responsible  for  providing  information  resources  services,  but 
normally  does  not  report  either  to  the  manager  or  director  of  the  IPSO  or  to 
the  same  immediate  supervisor. 

7.  Basic  Considerations  and  Assumptions: 

a.  The  Federal  Government  is  the  largest  single  producer,  collector, 
consumer,  and  disseminator  of  information  in  the  United  States.  Because  of 
the  extent  of  the  government's  information  activities,  and  the  dependence  of 


those  activities  upon  public  cooperation,  the  management  of  Federal 
information  resources  is  an  issue  of  continuing  importance  to  all  Federal 
agencies.  State  and  local  governments,  and  the  public. 

b.  Government  information  is  a  valuable  national  resource.  It  provides 
the  public  with  knowledge  of  the  government,  society,  and  economy  —  past, 
present,  and  future.  It  is  a  means  to  ensure  the  accountability  of 
government,  to  manage  the  government's  operations,  to  maintain  the  healthy 
performance  of  the  economy,  and  is  itself  a  commodity  in  the  marketplace. 

c.  The  free  flow  of  information  between  the  government  and  the  public  is 
essential  to  a  democratic  society.  It  is  also  essential  that  the  government 
minimize  the  Federal  paperwork  burden  on  the  public,  minimize  the  cost  of  its 
information  activities,  and  maximize  the  usefulness  of  government  information. 

d.  In  order  to  minimize  the  cost  and  maximize  the  usefulness  of  government 
information,  the  expected  public  and  private  benefits  derived  from  government 
information  should  exceed  the  public  and  private  costs  of  the  information, 
recognizing  that  the  benefits  to  be  derived  from  government  information  may 
not  always  be  quantifiable. 

e.  The  nation  can  benefit  from  government  information  disseminated  both  by 
Federal  agencies  and  by  diverse  nonfederal  parties,  including  State  and  local 
government  agencies,  educational  and  other  not-for-profit  institutions,  and 
for-profit  organizations. 

f.  Because  the  public  disclosure  of  government  information  is  essential  to 
the  operation  of  a  democracy,  the  management  of  Federal  information  resources 
should  protect  the  public's  right  of  access  to  government  information. 

g.  The  individual's  right  to  privacy  must  be  protected  in  Federal 
Government  information  activities  involving  personal  information. 

h.  Systematic  attention  to  the  management  of  government  records  is  an 
essential  component  of  sound  public  resources  management  which  ensures  public 
accountability.  Together  with  records  preservation,  it  protects  the 
government's  historical  record  and  guards  the  legal  and  financial  rights  of 
the  government  and  the  public. 

i.  Agency  strategic  planning  can  improve  the  operation  of  government 
programs.  The  application  of  information  resources  should  support  an  agency's 
strategic  plan  to  fulfill  its  mission.  The  integration  of  IRM  planning  with 
agency  strategic  planning  promotes  the  appropriate  application  of  Federal 
information  resources. 

j .  Because  State  and  local  governments  are  important  producers  of 
government  information  for  many  areas  such  as  health,  social  welfare,  labor, 
transportation,  and  education,  the  Federal  Government  must  cooperate  with 
these  governments  in  the  management  of  information  resources. 

k.  The  open  and  efficient  exchange  of  scientific  and  technical  government 
information,  subject  to  applicable  national  security  controls  and  the 
proprietary  rights  of  others,  fosters  excellence  in  scientific  research  and 
effective  use  of  Federal  research  and  development  funds. 

l.  Information  technology  is  not  an  end  in  itself.  It  is  one  set  of 
resources  that  can  improve  the  effectiveness  and  efficiency  of  Federal  program 


delivery . 


m.  Federal  Government  information  resources  management  policies  and 
activities  can  affect,  and  be  affected  by,  the  information  policies  and 
activities  of  other  nations. 

n.  Users  of  Federal  information  resources  must  have  skills,  knowledge,  and 
training  to  manage  information  resources,  enabling  the  Federal  government  to 
effectively  serve  the  public  through  automated  means. 

o.  The  application  of  up-to-date  information  technology  presents 
opportunities  to  promote  fundamental  changes  in  agency  structures,  work 
processes,  and  ways  of  interacting  with  the  public  that  improve  the 
effectiveness  and  efficiency  of  Federal  agencies. 

p.  The  availability  of  government  information  in  diverse  media,  including 
electronic  formats,  permits  agencies  and  the  public  greater  flexibility  in 
using  the  information. 

q.  Federal  managers  with  program  delivery  responsibilities  should 
recognize  the  importance  of  information  resources  management  to  mission 
performance . 

8.  Policy: 

a.  Information  Management  Policy 

(1)  Information  Management  Planning.  Agencies  shall  plan  in  an  integrated 
manner  for  managing  information  throughout  its  life  cycle.  Agencies  shall: 

(a)  Consider,  at  each  stage  of  the  information  life  cycle,  the  effects  of 
decisions  and  actions  on  other  stages  of  the  life  cycle,  particularly  those 
concerning  information  dissemination; 

(b)  Consider  the  effects  of  their  actions  on  members  of  the  public  and 
ensure  consultation  with  the  public  as  appropriate; 

(c)  Consider  the  effects  of  their  actions  on  State  and  local  governments 
and  ensure  consultation  with  those  governments  as  appropriate; 

(d)  Seek  to  satisfy  new  information  needs  through  interagency  or 
intergovernmental  sharing  of  information,  or  through  commercial  sources,  where 
appropriate,  before  creating  or  collecting  new  information; 

(e)  Integrate  planning  for  information  systems  with  plans  for  resource 
allocation  and  use,  including  budgeting,  acquisition,  and  use  of  information 
technology; 

(f)  Train  personnel  in  skills  appropriate  to  management  of  information; 

(g)  Protect  government  information  commensurate  with  the  risk  and 
magnitude  of  harm  that  could  result  from  the  loss,  misuse,  or  unauthorized 
access  to  or  modification  of  such  information; 

(h)  Use  voluntary  standards  and  Federal  Information  Processing  Standards 
where  appropriate  or  required; 


(i)  Consider  the  effects  of  their  actions  on  the  privacy  rights  of 
individuals,  and  ensure  that  appropriate  legal  and  technical  safeguards  are 
implemented; 

(j)  Record,  preserve,  and  make  accessible  sufficient  information  to  ensure 
the  management  and  accountability  of  agency  programs,  and  to  protect  the  legal 
and  financial  rights  of  the  Federal  Government; 

(k)  Incorporate  records  management  and  archival  functions  into  the  design, 
development,  and  implementation  of  information  systems; 

(l)  Provide  for  public  access  to  records  where  required  or  appropriate. 

(2)  Information  Collection.  Agencies  shall  collect  or  create  only  that 
information  necessary  for  the  proper  performance  of  agency  functions  and  which 
has  practical  utility. 

(3)  Electronic  Information  Collection.  Agencies  shall  use  electronic 
collection  techniques  where  such  techniques  reduce  burden  on  the  public, 
increase  efficiency  of  government  programs,  reduce  costs  to  the  government  and 
the  public,  and/or  provide  better  service  to  the  public.  Conditions  favorable 
to  electronic  collection  include: 

(a)  The  information  collection  seeks  a  large  volume  of  data  and/or 
reaches  a  large  proportion  of  the  public; 

(b)  The  information  collection  recurs  frequently; 

(c)  The  structure,  format,  and/or  definition  of  the  information  sought  by 
the  information  collection  does  not  change  significantly  over  several  years; 

(d)  The  agency  routinely  converts  the  information  collected  to  electronic 
format ; 

(e)  A  substantial  number  of  the  affected  public  are  known  to  have  ready 
access  to  the  necessary  information  technology  and  to  maintain  the  information 
in  electronic  form; 

(f)  Conversion  to  electronic  reporting,  if  mandatory,  will  not  impose 
substantial  costs  or  other  adverse  effects  on  the  public,  especially  State  and 
local  governments  and  small  business  entities. 

(4)  Records  Management.  Agencies  shall: 

(a)  Ensure  that  records  management  programs  provide  adequate  and  proper 
documentation  of  agency  activities; 

(b)  Ensure  the  ability  to  access  records  regardless  of  form  or  medium; 

(c)  In  a  timely  fashion,  establish,  and  obtain  the  approval  of  the 
Archivist  of  the  United  States  for,  retention  schedules  for  Federal  records; 
and 

(d)  Provide  training  and  guidance  as  appropriate  to  all  agency  officials 
and  employees  and  contractors  regarding  their  Federal  records  management 
responsibilities . 


(5)  Providing  Information  to  the  Public.  Agencies  have  a  responsibility 
to  provide  information  to  the  public  consistent  with  their  missions.  Agencies 
shall  discharge  this  responsibility  by: 

(a)  Providing  information,  as  required  by  law,  describing  agency 
organization,  activities,  programs,  meetings,  systems  of  records,  and  other 
information  holdings,  and  how  the  public  may  gain  access  to  agency  information 
resources ; 

(b)  Providing  access  to  agency  records  under  provisions  of  the  Freedom  of 
Information  Act  and  the  Privacy  Act,  subject  to  the  protections  and 
limitations  provided  for  in  these  Acts; 

(c)  Providing  such  other  information  as  is  necessary  or  appropriate  for 
the  proper  performance  of  agency  functions;  and 

(d)  In  determining  whether  and  how  to  disseminate  information  to  the 
public,  agencies  shall: 

(i)  Disseminate  information  in  a  manner  that  achieves  the  best  balance 
between  the  goals  of  maximizing  the  usefulness  of  the  information  and 
minimizing  the  cost  to  the  government  and  the  public; 

(ii)  Disseminate  information  dissemination  products  on  equitable  and 
timely  terms; 

(iii)  Take  advantage  of  all  dissemination  channels.  Federal  and 
nonfederal,  including  State  and  local  governments,  libraries  and  private 
sector  entities,  in  discharging  agency  information  dissemination 
responsibilities ; 

(iv)  Help  the  public  locate  government  information  maintained  by  or  for 
the  agency. 

(6)  Information  Dissemination  Management  System.  Agencies  shall  maintain 
and  implement  a  management  system  for  all  information  dissemination  products 
which  shall,  at  a  minimum: 

(a)  Assure  that  information  dissemination  products  are  necessary  for 
proper  performance  of  agency  functions  (44  U.S.C.  1108); 

(b)  Consider  whether  an  information  dissemination  product  available  from 
other  Federal  or  nonfederal  sources  is  equivalent  to  an  agency  information 
dissemination  product  and  reasonably  fulfills  the  dissemination 
responsibilities  of  the  agency; 

(c)  Establish  and  maintain  inventories  of  all  agency  information 
dissemination  products; 

(d)  Develop  such  other  aids  to  locating  agency  information  dissemination 
products  including  catalogs  and  directories,  as  may  reasonably  achieve  agency 
information  dissemination  objectives; 

(e)  Identify  in  information  dissemination  products  the  source  of  the 
information,  if  from  another  agency; 


(f)  Ensure  that  members  of  the  public  with  disabilities  whom  the  agency 


has  a  responsibility  to  inform  have  a  reasonable  ability  to  access  the 
information  dissemination  products; 


(g)  Ensure  that  government  publications  are  made  available  to  depository 
libraries  through  the  facilities  of  the  Government  Printing  Office,  as 
required  by  law  (44  U.S.C.  Part  19); 

(h)  Provide  electronic  information  dissemination  products  to  the 
Government  Printing  Office  for  distribution  to  depository  libraries; 

(i)  Establish  and  maintain  communications  with  members  of  the  public  and 
with  State  and  local  governments  so  that  the  agency  creates  information 
dissemination  products  that  meet  their  respective  needs; 

(j)  Provide  adequate  notice  when  initiating,  substantially  modifying,  or 
terminating  significant  information  dissemination  products;  and 

(k)  Ensure  that,  to  the  extent  existing  information  dissemination  policies 
or  practices  are  inconsistent  with  the  requirements  of  this  Circular,  a  prompt 
and  orderly  transition  to  compliance  with  the  requirements  of  this  Circular  is 
made . 

(7)  Avoiding  Improperly  Restrictive  Practices.  Agencies  shall: 

(a)  Avoid  establishing,  or  permitting  others  to  establish  on  their  behalf, 
exclusive,  restricted,  or  other  distribution  arrangements  that  interfere  with 
the  availability  of  information  dissemination  products  on  a  timely  and 
equitable  basis; 

(b)  Avoid  establishing  restrictions  or  regulations,  including  the  charging 
of  fees  or  royalties,  on  the  reuse,  resale,  or  redissemination  of  Federal 
information  dissemination  products  by  the  public;  and, 

(c)  Set  user  charges  for  information  dissemination  products  at  a  level 
sufficient  to  recover  the  cost  of  dissemination  but  no  higher.  They  shall 
exclude  from  calculation  of  the  charges  costs  associated  with  original 
collection  and  processing  of  the  information.  Exceptions  to  this  policy  are: 

(i)  Where  statutory  requirements  are  at  variance  with  the  policy; 

(ii)  Where  the  agency  collects,  processes,  and  disseminates  the 
information  for  the  benefit  of  a  specific  identifiable  group  beyond  the 
benefit  to  the  general  public; 

(iii)  Where  the  agency  plans  to  establish  user  charges  at  less  than 
cost  of  dissemination  because  of  a  determination  that  higher  charges  would 
constitute  a  significant  barrier  to  properly  performing  the  agency's 
functions,  including  reaching  members  of  the  public  whom  the  agency  has  a 
responsibility  to  inform;  or 

(iv)  Where  the  Director  of  OMB  determines  an  exception  is  warranted. 

(8)  Electronic  Information  Dissemination.  Agencies  shall  use  electronic 
media  and  formats,  including  public  networks,  as  appropriate  and  within 
budgetary  constraints,  in  order  to  make  government  information  more  easily 
accessible  and  useful  to  the  public.  The  use  of  electronic  media  and  formats 
for  information  dissemination  is  appropriate  under  the  following  conditions: 


(a)  The  agency  develops  and  maintains  the  information  electronically; 


(b)  Electronic  media  or  formats  are  practical  and  cost  effective  ways  to 
provide  public  access  to  a  large,  highly  detailed  volume  of  information; 

(c)  The  agency  disseminates  the  product  frequently; 

(d)  The  agency  knows  a  substantial  portion  of  users  have  ready  access  to 
the  necessary  information  technology  and  training  to  use  electronic 
information  dissemination  products; 

(e)  A  change  to  electronic  dissemination,  as  the  sole  means  of 
disseminating  the  product,  will  not  impose  substantial  acquisition  or  training 
costs  on  users,  especially  State  and  local  governments  and  small  business 
entities . 

(9)  Safeguards.  Agencies  shall: 

(a)  Ensure  that  information  is  protected  commensurate  with  the  risk  and 
magnitude  of  the  harm  that  would  result  from  the  loss,  misuse,  or  unauthorized 
access  to  or  modification  of  such  information; 

(b)  Limit  the  collection  of  information  which  identifies  individuals  to 
that  which  is  legally  authorized  and  necessary  for  the  proper  performance  of 
agency  functions; 

(c)  Limit  the  sharing  of  information  that  identifies  individuals  or 
contains  proprietary  information  to  that  which  is  legally  authorized,  and 
impose  appropriate  conditions  on  use  where  a  continuing  obligation  to  ensure 
the  confidentiality  of  the  information  exists; 

(d)  Provide  individuals,  upon  request,  access  to  records  about  them 
maintained  in  Privacy  Act  systems  of  records,  and  permit  them  to  amend  such 
records  as  are  in  error  consistent  with  the  provisions  of  the  Privacy  Act. 

b.  Information  Systems  and  Information  Technology  Management 

(1)  Evaluation  and  Performance  Measurement.  Agencies  shall  promote  the 
appropriate  application  of  Federal  information  resources  as  follows: 

(a)  Seek  opportunities  to  improve  the  effectiveness  and  efficiency  of 
government  programs  through  work  process  redesign  and  the  judicious 
application  of  information  technology; 

(b)  Prepare,  and  update  as  necessary  throughout  the  information  system  life 
cycle,  a  benefit-cost  analysis  for  each  information  system: 

(i)  at  a  level  of  detail  appropriate  to  the  size  of  the  investment; 

(ii)  consistent  with  the  methodology  described  in  OMB  Circular  No.  A-94, 

"Guidelines  and  Discount  Rates  for  Benefit-Cost  Analysis  of  Federal 

Programs;"  and 

(iii)  that  relies  on  systematic  measures  of  mission  performance, 

including  the: 


(a)  effectiveness  of  program  delivery; 


(b)  efficiency  of  program  administration;  and 

(c)  reduction  in  burden,  including  information  collection 
burden,  imposed  on  the  public; 

(c)  Conduct  benefit-cost  analyses  to  support  ongoing  management  oversight 
processes  that  maximize  return  on  investment  and  minimize  financial  and 
operational  risk  for  investments  in  major  information  systems  on  an  agency¬ 
wide  basis;  and 

(d)  Conduct  post-implementation  reviews  of  information  systems  to  validate 
estimated  benefits  and  document  effective  management  practices  for  broader 
use . 


(2)  Strategic  Information  Resources  Management  (IRM)  Planning.  Agencies 
shall  establish  and  maintain  strategic  information  resources  management 
planning  processes  which  include  the  following  components: 

(a)  Strategic  IRM  planning  that  addresses  how  the  management  of  information 
resources  promotes  the  fulfillment  of  an  agency's  mission.  This  planning 
process  should  support  the  development  and  maintenance  of  a  strategic  IRM  plan 
that  reflects  and  anticipates  changes  in  the  agency's  mission,  policy 
direction,  technological  capabilities,  or  resource  levels; 

(b)  Information  planning  that  promotes  the  use  of  information  throughout 
its  life  cycle  to  maximize  the  usefulness  of  information,  minimize  the  burden 
on  the  public,  and  preserve  the  appropriate  integrity,  availability,  and 
confidentiality  of  information.  It  shall  specifically  address  the  planning 
and  budgeting  for  the  information  collection  burden  imposed  on  the  public  as 
defined  by  5  C.F.R.  1320; 

(c)  Operational  information  technology  planning  that  links  information 
technology  to  anticipated  program  and  mission  needs,  reflects  budget 
constraints,  and  forms  the  basis  for  budget  requests.  This  planning  should 
result  in  the  preparation  and  maintenance  of  an  up-to-date  five-year  plan,  as 
required  by  44  U.S.C.  3506,  which  includes: 

(i)  a  listing  of  existing  and  planned  major  information  systems; 

(ii)  a  listing  of  planned  information  technology  acquisitions; 

(iii)  an  explanation  of  how  the  listed  major  information  systems  and 
planned  information  technology  acquisitions  relate  to  each  other  and 
support  the  achievement  of  the  agency's  mission;  and 

iv)  a  summary  of  computer  security  planning,  as  required  by  Section  6  of 
the  Computer  Security  Act  of  1987  (40  U.S.C.  759  note);  and 

(d)  Coordination  with  other  agency  planning  processes  including  strategic, 
human  resources,  and  financial  resources. 

(3)  Information  Systems  Management  Oversight.  Agencies  shall  establish 
information  system  management  oversight  mechanisms  that: 

(a)  Ensure  that  each  information  system  meets  agency  mission  requirements; 


(b)  Provide  for  periodic  review  of  information  systems  to  determine: 


(i)  how  mission  requirements  might  have  changed; 


(ii)  whether  the  information  system  continues  to  fulfill  ongoing  and 
anticipated  mission  requirements;  and 

(iii)  what  level  of  maintenance  is  needed  to  ensure  the  information 
system  meets  mission  requirements  cost  effectively; 

(c)  Ensure  that  the  official  who  administers  a  program  supported  by  an 
information  system  is  responsible  and  accountable  for  the  management  of  that 
information  system  throughout  its  life  cycle; 

(d)  Provide  for  the  appropriate  training  for  users  of  Federal  information 
resources ; 

(e)  Prescribe  Federal  information  system  requirements  that  do  not  unduly 
restrict  the  prerogatives  of  State,  local,  and  tribal  governments; 

(f)  Ensure  that  major  information  systems  proceed  in  a  timely  fashion 
towards  agreed-upon  milestones  in  an  information  system  life  cycle,  meet  user 
requirements,  and  deliver  intended  benefits  to  the  agency  and  affected  publics 
through  coordinated  decision  making  about  the  information,  human,  financial, 
and  other  supporting  resources;  and 

(g)  Ensure  that  financial  management  systems  conform  to  the  requirements  of 
OMB  Circular  No.  A-127,  "Financial  Management  Systems." 

(4)  Use  of  Information  Resources.  Agencies  shall  create  and  maintain 
management  and  technical  frameworks  for  using  information  resources  that 
document  linkages  between  mission  needs,  information  content,  and  information 
technology  capabilities.  These  frameworks  should  guide  both  strategic  and 
operational  IRM  planning.  They  should  also  address  steps  necessary  to  create 
an  open  systems  environment.  Agencies  shall  implement  the  following 
principles : 

(a)  Develop  information  systems  in  a  manner  that  facilitates  necessary 
interoperability,  application  portability,  and  scalability  of  computerized 
applications  across  networks  of  heterogeneous  hardware,  software,  and 
communications  platforms; 

(b)  Ensure  that  improvements  to  existing  information  systems  and  the 
development  of  planned  information  systems  do  not  unnecessarily  duplicate 
information  systems  available  within  the  same  agency,  from  other  agencies,  or 
from  the  private  sector; 

(c)  Share  available  information  systems  with  other  agencies  to  the  extent 
practicable  and  legally  permissible; 

(d)  Meet  information  technology  needs  through  intra-agency  and  inter-agency 
sharing,  when  it  is  cost  effective,  before  acquiring  new  information 
technology  resources; 

(e)  For  Information  Processing  Service  Organizations  (IPSOs)  that  have 
costs  in  excess  of  $5  million  per  year,  agencies  shall: 


(i)  account  for  the  full  costs  of  operating  all  IPSOs; 


(ii)  recover  the  costs  incurred  for  providing  IPSO  services  to  all 
service  recipients  on  an  equitable  basis  commensurate  with  the  costs 
required  to  provide  those  services;  and 

(iii)  document  sharing  agreements  between  service  recipients  and  IPSOs; 

and 

(f)  Establish  a  level  of  security  for  all  information  systems  that  is 
commensurate  with  the  risk  and  magnitude  of  the  harm  resulting  from  the  loss, 
misuse,  or  unauthorized  access  to  or  modification  of  the  information  contained 
in  these  information  systems. 


(5)  Acquisition  of  Information  Technology.  Agencies  shall: 

(a)  Acquire  information  technology  in  a  manner  that  makes  use  of  full  and 
open  competition  and  that  maximizes  return  on  investment; 

(b)  Acquire  off-the-shelf  software  from  commercial  sources,  unless  the  cost 
effectiveness  of  developing  custom  software  to  meet  mission  needs  is  clear  and 
has  been  documented; 

(c)  Acquire  information  technology  in  accordance  with  OMB  Circular  No.  A- 
109,  "Acquisition  of  Major  Systems,"  where  appropriate;  and 

(d)  Acquire  information  technology  in  a  manner  that  considers  the  need  for 
accommodations  of  accessibility  for  individuals  with  disabilities  to  the 
extent  that  needs  for  such  access  exist. 

9.  Assignment  of  Responsibilities: 

a.  All  Federal  Agencies.  The  head  of  each  agency  shall: 

(1)  Have  primary  responsibility  for  managing  agency  information  resources; 

(2)  Ensure  that  the  information  policies,  principles,  standards, 
guidelines,  rules,  and  regulations  prescribed  by  OMB  are  implemented 
appropriately  within  the  agency; 

(3)  Develop  internal  agency  information  policies  and  procedures  and 
oversee,  evaluate,  and  otherwise  periodically  review  agency  information 
resources  management  activities  for  conformity  with  the  policies  set  forth  in 
this  Circular; 

(4)  Develop  agency  policies  and  procedures  that  provide  for  timely 
acquisition  of  required  information  technology; 

(5)  Maintain  an  inventory  of  the  agencies'  major  information  systems, 
holdings  and  information  dissemination  products,  as  required  by  44  U.S.C. 

3511 . 

(6)  Implement  and  enforce  applicable  records  management  policies  and 
procedures,  including  requirements  for  archiving  information  maintained  in 
electronic  format,  particularly  in  the  planning,  design  and  operation  of 
information  systems. 


(7)  Identify  to  the  Director,  OMB,  statutory,  regulatory,  and  other 


impediments  to  efficient  management  of  Federal  information  resources  and 
recommend  to  the  Director  legislation,  policies,  procedures,  and  other 
guidance  to  improve  such  management; 

(8)  Assist  OMB  in  the  performance  of  its  functions  under  the  PRA  including 
making  services,  personnel,  and  facilities  available  to  OMB  for  this  purpose 

to  the  extent  practicable; 

(9)  Appoint  a  senior  official,  as  required  by  44  U.S.C.  3506(a),  who  shall 
report  directly  to  the  agency  head  to  carry  out  the  responsibilities  of  the 
agency  under  the  PRA.  The  head  of  the  agency  shall  keep  the  Director,  OMB, 
advised  as  to  the  name,  title,  authority,  responsibilities,  and  organizational 
resources  of  the  senior  official.  For  purposes  of  this  paragraph,  military 
departments  and  the  Office  of  the  Secretary  of  Defense  may  each  appoint  one 
official . 

(10)  Direct  the  senior  official  appointed  pursuant  to  44  U.S.C.  3506(a)  to 
monitor  agency  compliance  with  the  policies,  procedures,  and  guidance  in  this 
Circular.  Acting  as  an  ombudsman,  the  senior  official  shall  consider  alleged 
instances  of  agency  failure  to  comply  with  this  Circular  and  recommend  or  take 
corrective  action  as  appropriate.  The  senior  official  shall  report  annually, 
not  later  than  February  1st  of  each  year,  to  the  Director  those  instances  of 
alleged  failure  to  comply  with  this  Circular  and  their  resolution. 

b.  Department  of  State.  The  Secretary  of  State  shall: 

(1)  Advise  the  Director,  OMB,  on  the  development  of  United  States 
positions  and  policies  on  international  information  policy  issues  affecting 
Federal  Government  information  activities  and  ensure  that  such  positions  and 
policies  are  consistent  with  Federal  information  resources  management  policy; 

(2)  Ensure,  in  consultation  with  the  Secretary  of  Commerce,  that  the 
United  States  is  represented  in  the  development  of  international  information 
technology  standards,  and  advise  the  Director,  OMB,  of  such  activities. 

c.  Department  of  Commerce.  The  Secretary  of  Commerce  shall: 

(1)  Develop  and  issue  Federal  Information  Processing  Standards  and 
guidelines  necessary  to  ensure  the  efficient  and  effective  acquisition, 
management,  security,  and  use  of  information  technology; 

(2)  Advise  the  Director,  OMB,  on  the  development  of  policies  relating  to 
the  procurement  and  management  of  Federal  telecommunications  resources; 

(3)  Provide  OMB  and  the  agencies  with  scientific  and  technical  advisory 
services  relating  to  the  development  and  use  of  information  technology; 

(4)  Conduct  studies  and  evaluations  concerning  telecommunications 
technology,  and  concerning  the  improvement,  expansion,  testing,  operation,  and 
use  of  Federal  telecommunications  systems  and  advise  the  Director,  OMB,  and 
appropriate  agencies  of  the  recommendations  that  result  from  such  studies; 

(5)  Develop,  in  consultation  with  the  Secretary  of  State  and  the  Director 
of  OMB,  plans,  policies,  and  programs  relating  to  international 
telecommunications  issues  affecting  government  information  activities; 


(6)  Identify  needs  for  standardization  of  telecommunications  and 


information  processing  technology,  and  develop  standards,  in  consultation  with 
the  Secretary  of  Defense  and  the  Administrator  of  General  Services,  to  ensure 
efficient  application  of  such  technology; 

(7)  Ensure  that  the  Federal  Government  is  represented  in  the  development 
of  national  and,  in  consultation  with  the  Secretary  of  State,  international 
information  technology  standards,  and  advise  the  Director,  OMB,  of  such 
activities . 

d.  Department  of  Defense.  The  Secretary  of  Defense  shall  develop,  in 
consultation  with  the  Administrator  of  General  Services,  uniform  Federal 
telecommunications  standards  and  guidelines  to  ensure  national  security, 
emergency  preparedness,  and  continuity  of  government. 

e.  General  Services  Administration.  The  Administrator  of  General  Services 
shall : 

(1)  Advise  the  Director,  OMB,  and  agency  heads  on  matters  affecting  the 
procurement  of  information  technology; 

(2)  Coordinate  and,  when  required,  provide  for  the  purchase,  lease,  and 
maintenance  of  information  technology  required  by  Federal  agencies; 

(3)  Develop  criteria  for  timely  procurement  of  information  technology  and 
delegate  procurement  authority  to  agencies  that  comply  with  the  criteria; 

(4)  Provide  guidelines  and  regulations  for  Federal  agencies,  as  authorized 
by  law,  on  the  acquisition,  maintenance,  and  disposition  of  information 
technology,  and  for  implementation  of  Federal  Information  Processing 
Standards ; 

(5)  Develop  policies  and  guidelines  that  facilitate  the  sharing  of 
information  technology  among  agencies  as  required  by  this  Circular; 

(6)  Manage  the  Information  Technology  Fund  in  accordance  with  the  Federal 
Property  and  Administrative  Services  Act  as  amended; 

f.  Office  of  Personnel  Management.  The  Director,  Office  of  Personnel 
Management,  shall: 

(1)  Develop  and  conduct  training  programs  for  Federal  personnel  on 
information  resources  management  including  end-user  computing; 

(2)  Evaluate  periodically  future  personnel  management  and  staffing 
requirements  for  Federal  information  resources  management; 

(3)  Establish  personnel  security  policies  and  develop  training  programs 
for  Federal  personnel  associated  with  the  design,  operation,  or  maintenance  of 
information  systems. 

g.  National  Archives  and  Records  Administration.  The  Archivist  of  the 
United  States  shall: 

(1)  Administer  the  Federal  records  management  program  in  accordance  with 
the  National  Archives  and  Records  Act; 


(2)  Assist  the  Director,  OMB,  in  developing  standards  and  guidelines 


relating  to  the  records  management  program. 


h.  Office  of  Management  and  Budget.  The  Director  of  the  Office  of 
Management  and  Budget  shall: 

(1)  Provide  overall  leadership  and  coordination  of  Federal  information 
resources  management  within  the  executive  branch; 

(2)  Serve  as  the  President's  principal  adviser  on  procurement  and 
management  of  Federal  telecommunications  systems,  and  develop  and  establish 
policies  for  procurement  and  management  of  such  systems; 

(3)  Issue  policies,  procedures,  and  guidelines  to  assist  agencies  in 
achieving  integrated,  effective,  and  efficient  information  resources 
management ; 

(4)  Initiate  and  review  proposals  for  changes  in  legislation,  regulations, 
and  agency  procedures  to  improve  Federal  information  resources  management; 

(5)  Review  and  approve  or  disapprove  agency  proposals  for  collection  of 
information  from  the  public,  as  defined  by  5  CFR  1320.3; 

(6)  Develop  and  maintain  a  Governmentwide  strategic  plan  for  information 
resources  management. 

(7)  Evaluate  agencies'  information  resources  management  and  identify 
cross-cutting  information  policy  issues  through  the  review  of  agency 
information  programs,  information  collection  budgets,  information  technology 
acquisition  plans,  fiscal  budgets,  and  by  other  means; 

(8)  Provide  policy  oversight  for  the  Federal  records  management  function 
conducted  by  the  National  Archives  and  Records  Administration,  coordinate 
records  management  policies  and  programs  with  other  information  activities, 
and  review  compliance  by  agencies  with  records  management  requirements; 

(9)  Review  agencies'  policies,  practices,  and  programs  pertaining  to  the 
security,  protection,  sharing,  and  disclosure  of  information,  in  order  to 
ensure  compliance,  with  respect  to  privacy  and  security,  with  the  Privacy  Act, 
the  Freedom  of  Information  Act,  the  Computer  Security  Act  and  related 
statutes ; 

(10)  Resolve  information  technology  procurement  disputes  between  agencies 
and  the  General  Services  Administration  pursuant  to  Section  111  of  the  Federal 
Property  and  Administrative  Services  Act; 

(11)  Review  proposed  U.S.  Government  Position  and  Policy  statements  on 
international  issues  affecting  Federal  Government  information  activities  and 
advise  the  Secretary  of  State  as  to  their  consistency  with  Federal  information 
resources  management  policy. 

(12)  Coordinate  the  development  and  review  by  the  Office  of  Information 
and  Regulatory  Affairs  of  policy  associated  with  Federal  procurement  and 
acquisition  of  information  technology  with  the  Office  of  Federal  Procurement 
Policy . 

10 .  Oversight : 

a.  The  Director,  OMB,  will  use  information  technology  planning  reviews. 


fiscal  budget  reviews,  information  collection  budget  reviews,  management 
reviews,  and  such  other  measures  as  the  Director  deems  necessary  to  evaluate 
the  adequacy  and  efficiency  of  each  agency's  information  resources  management 
and  compliance  with  this  Circular. 

b.  The  Director,  OMB,  may,  consistent  with  statute  and  upon  written 
request  of  an  agency,  grant  a  waiver  from  particular  requirements  of  this 
Circular.  Requests  for  waivers  must  detail  the  reasons  why  a  particular 
waiver  is  sought,  identify  the  duration  of  the  waiver  sought,  and  include  a 
plan  for  the  prompt  and  orderly  transition  to  full  compliance  with  the 
requirements  of  this  Circular.  Notice  of  each  waiver  request  shall  be 
published  promptly  by  the  agency  in  the  Federal  Register,  with  a  copy  of  the 
waiver  request  made  available  to  the  public  on  request. 

11.  Effectiveness:  This  Circular  is  effective  upon  issuance.  Nothing  in 
this  Circular  shall  be  construed  to  confer  a  private  right  of  action  on  any 
person . 

12.  Inquiries:  All  questions  or  inquiries  should  be  addressed  to  the 
Office  of  Information  and  Regulatory  Affairs,  Office  of  Management  and  Budget, 
Washington,  D.C.  20503.  Telephone:  (202)  395-3785. 

13.  Sunset  Review  Date:  OMB  will  review  this  Circular  three  years  from  the 
date  of  issuance  to  ascertain  its  effectiveness. 


Appendix  I  to  OMB  Circular  No.  A-130  -  Federal  Agency  Responsibilities  for 
Maintaining  Records  About  Individuals 

1.  Purpose  and  Scope. 

This  Appendix  describes  agency  responsibilities  for  implementing  the  reporting 
and  publication  requirements  of  the  Privacy  Act  of  1974,  5  U.S.C.  552a,  as 
amended  (hereinafter  "the  Act") .  It  applies  to  all  agencies  subject  to  the 
Act.  Note  that  this  Appendix  does  not  rescind  other  guidance  OMB  has  issued 
to  help  agencies  interpret  the  Privacy  Act's  provisions,  e.g..  Privacy  Act 
Guidelines  (40  FR  28949-28978,  July  9,  1975),  or  Final  Guidance  for  Conducting 
Matching  Programs  (54  FR  at  25819,  June  19,  1989) . 

2.  Definitions. 

a.  The  terms  "agency,"  "individual,"  "maintain,"  ^matching  program,  ]p 
"record,"  "system  of  records,"  and  "routine  use,"  as  used  in  this  Appendix, 
are  defined  in  the  Act  (5  U.S.C.  552a(a)). 

b.  Matching  Agency.  Generally,  the  Recipient  Federal  agency  (or  the  Federal 
source  agency  in  a  match  conducted  by  a  nonfederal  agency)  is  the  matching 
agency  and  is  responsible  for  meeting  the  reporting  and  publication 
requirements  associated  with  the  matching  program.  However,  in  large,  multi¬ 
agency  matching  programs,  where  the  recipient  agency  is  merely  performing  the 
matches  and  the  benefit  accrues  to  the  source  agencies,  the  partners  should 
assign  responsibility  for  compliance  with  the  administrative  requirements  in  a 
fair  and  reasonable  way.  This  may  mean  having  the  matching  agency  carry  out 
these  requirements  for  all  parties,  having  one  participant  designated  to  do 
so,  or  having  each  source  agency  do  so  for  its  own  matching  program (s) . 

c.  Nonfederal  Agency.  Nonfederal  agencies  are  State  or  local  governmental 
agencies  receiving  or  providing  records  in  a  matching  program  with  a  Federal 
agency . 

d.  Recipient  Agency.  Recipient  agencies  are  Federal  agencies  or  their 
contractors  receiving  automated  records  from  the  Privacy  Act  systems  of 
records  of  other  Federal  agencies,  or  from  State  or  local  governments,  to  be 
used  in  a  matching  program  as  defined  in  the  Act. 

e.  Source  Agency.  A  source  agency  is  a  Federal  agency  that  discloses 
automated  records  from  a  system  of  records  to  another  Federal  agency  or  to  a 
State  or  local  agency  to  be  used  in  a  matching  program.  It  is  also  a  State  or 
local  agency  that  discloses  records  to  a  Federal  agency  for  use  in  a  matching 
program. 

3.  Assignment  of  Responsibilities. 

a.  All  Federal  Agencies.  In  addition  to  meeting  the  agency  requirements 
contained  in  the  Act  and  the  specific  reporting  and  publication  requirements 
detailed  in  this  Appendix,  the  head  of  each  agency  shall  ensure  that  the 
following  reviews  are  conducted  as  often  as  specified  below,  and  be  prepared 
to  report  to  the  Director,  OMB,  the  results  of  such  reviews  and  the  corrective 
action  taken  to  resolve  problems  uncovered.  The  head  of  each  agency  shall: 

(1)  Section  (m)  Contracts.  Review  every  two  years  a  random  sample  of  agency 
contracts  that  provide  for  the  maintenance  of  a  system  of  records  on  behalf  of 
the  agency  to  accomplish  an  agency  function,  in  order  to  ensure  that  the 


wording  of  each  contract  makes  the  provisions  of  the  Act  binding  on  the 
contractor  and  his  or  her  employees.  (See  5  U.S.C.  552a (m) (1)) 


(2)  Recordkeeping  Practices.  Review  biennially  agency  recordkeeping  and 
disposal  policies  and  practices  in  order  to  assure  compliance  with  the  Act, 
paying  particular  attention  to  the  maintenance  of  automated  records. 

(3)  Routine  Use  Disclosures.  Review  every  four  years  the  routine  use 
disclosures  associated  with  each  system  of  records  in  order  to  ensure  that  the 
recipient's  use  of  such  records  continues  to  be  compatible  with  the  purpose 
for  which  the  disclosing  agency  collected  the  information. 

(4)  Exemption  of  Systems  of  Records.  Review  every  four  years  each  system  of 
records  for  which  the  agency  has  promulgated  exemption  rules  pursuant  to 
Section  (j)  or  (k)  of  the  Act  in  order  to  determine  whether  such  exemption  is 
still  needed. 

(5)  Matching  Programs.  Review  annually  each  ongoing  matching  program  in 
which  the  agency  has  participated  during  the  year  in  order  to  ensure  that  the 
requirements  of  the  Act,  the  OMB  guidance,  and  any  agency  regulations, 
operating  instructions,  or  guidelines  have  been  met. 

(6)  Privacy  Act  Training.  Review  biennially  agency  training  practices  in 
order  to  ensure  that  all  agency  personnel  are  familiar  with  the  requirements 
of  the  Act,  with  the  agency's  implementing  regulation,  and  with  any  special 
requirements  of  their  specific  jobs. 

(7)  Violations.  Review  biennially  the  actions  of  agency  personnel  that  have 
resulted  either  in  the  agency  being  found  civilly  liable  under  Section  (g)  of 
the  Act,  or  an  employee  being  found  criminally  liable  under  the  provisions  of 
Section  (i)  of  the  Act,  in  order  to  determine  the  extent  of  the  problem,  and 
to  find  the  most  effective  way  to  prevent  recurrence  of  the  problem. 

(8)  Systems  of  Records  Notices.  Review  biennially  each  system  of  records 
notice  to  ensure  that  it  accurately  describes  the  system  of  records.  Where 
minor  changes  are  needed,  e.g.,  the  name  of  the  system  manager,  ensure  that  an 
amended  notice  is  published  in  the  Federal  Register.  Agencies  may  choose  to 
make  one  annual  comprehensive  publication  consolidating  such  minor  changes. 
This  requirement  is  distinguished  from  and  in  addition  to  the  requirement  to 
report  to  OMB  and  Congress  significant  changes  to  systems  of  records  and  to 
publish  those  changes  in  the  Federal  Register  (See  paragraph  4c  of  this 
Appendix) . 

b.  Department  of  Commerce.  The  Secretary  of  Commerce  shall,  consistent  with 
guidelines  issued  by  the  Director,  OMB,  develop  and  issue  standards  and 
guidelines  for  ensuring  the  security  of  information  protected  by  the  Act  in 
automated  information  systems. 

c.  The  Department  of  Defense,  General  Services  Administration,  and  National 
Aeronautics  and  Space  Administration.  These  agencies  shall,  consistent  with 
guidelines  issued  by  the  Director,  OMB,  ensure  that  instructions  are  issued  on 
what  agencies  must  do  in  order  to  comply  with  the  requirements  of  Section  (m) 
of  the  Act  when  contracting  for  the  operation  of  a  system  of  records  to 
accomplish  an  agency  purpose. 

d.  Office  of  Personnel  Management.  The  Director  of  the  Office  of  Personnel 
Management  shall,  consistent  with  guidelines  issued  by  the  Director,  OMB: 


(1)  Develop  and  maintain  government-wide  standards  and  procedures  for 
civilian  personnel  information  processing  and  recordkeeping  directives  to 
assure  conformance  with  the  Act. 

(2)  Develop  and  conduct  Privacy  Act  training  programs  for  agency  personnel, 
including  both  the  conduct  of  courses  in  various  substantive  areas  (e.g., 
administrative,  information  technology)  and  the  development  of  materials  that 
agencies  can  use  in  their  own  courses.  The  assignment  of  this  responsibility 
to  OPM  does  not  affect  the  responsibility  of  individual  agency  heads  for 
developing  and  conducting  training  programs  tailored  to  the  specific  needs  of 
their  own  personnel. 

e.  National  Archives  and  Records  Administration.  The  Archivist  of  the  United 
States  through  the  Office  of  the  Federal  Register,  shall,  consistent  with 
guidelines  issued  by  the  Director,  0MB: 

(1)  Issue  instructions  on  the  format  of  the  agency  notices  and  rules  required 
to  be  published  under  the  Act. 

(2)  Compile  and  publish  every  two  years,  the  rules  promulgated  under  5 
U.S.C.  552a(f)  and  agency  notices  published  under  5  U.S.C.  552a(e)  (4)  in  a 
form  available  to  the  public  at  low  cost. 

(3)  Issue  procedures  governing  the  transfer  of  records  to  Federal  Records 
Centers  for  storage,  processing,  and  servicing  pursuant  to  44  U.S.C.  3103. 

For  purposes  of  the  Act,  such  records  are  considered  to  be  maintained  by  the 
agency  that  deposited  them.  The  Archivist  may  disclose  deposited  records  only 
according  to  the  access  rules  established  by  the  agency  that  deposited  them. 

f.  Office  of  Management  and  Budget.  The  Director  of  the  Office  of  Management 
and  Budget  will: 

(1)  Issue  guidelines  and  directives  to  the  agencies  to  implement  the  Act. 

(2)  Assist  the  agencies,  at  their  request,  in  implementing  their  Privacy 
Act  programs . 

(3)  Review  new  and  altered  system  of  records  and  matching  program  reports 
submitted  pursuant  to  Section  (o)  of  the  Act. 

(4)  Compile  the  biennial  report  of  the  President  to  Congress  in  accordance 
with  Section  (s)  of  the  Act. 

(5)  Compile  and  issue  a  biennial  report  on  the  agencies'  implementation  of 
the  computer  matching  provisions  of  the  Privacy  Act,  pursuant  to  Section 

(u) (6)  of  the  Act . 


4.  Reporting  Requirements.  The  Privacy  Act  requires  agencies  to  make  the 
following  kinds  of  reports: 


I  Report 


When  Due 


Recipient** 


Biennial  Privacy  Act 
Administrator, | 

Report 


June  30,  1996,  1998,  2000,  2002 


OIRA 


Biennial  Matching  Activity 
Administrator, 

Report 


June  30,  1996,  1998,  2000,  2002 


|  OIRA 


New  System  of  Records 
Administrator, | 

Report 


When  establishing  a  system  of 

records  -  at  least  40  days  before  |  OIRA, 


operating  the  system* 


Congress 


Altered  System  of  Records  I  When  adding  a  new  routine  use. 
Administrator, 

Report  I  exemption,  or  otherwise 

|  significantly  altering  an  existing 
I  system  of  records  -  at  least  40  days 
|  before  change  to  system  takes  place* 


OIRA, 

Congress 


New  Matching  Program 
Administrator,  | 

Report 


When  establishing  a  new  matching 
program  -  at  least  40  days  before  |  OIRA, 


operating  the  program* 


|  Congress 


Renewal  of  Existing  Matching  |  At  least  40  days  prior  to 
Administrator,  | 

Program  |  expiration  of  any  one  year  |  OIRA, 

|  extension  of  the  original  program  |  Congress 
I  -  treat  as  a  new  program  I 


Altered  Matching  Program 
Administrator, | 


When  making  a  significant  change 


to  an  existing  matching  program  -  |  OIRA, 

at  least  40  days  before  operating  I  Congress 

an  altered  program*  I 


Matching  Agreements 


At  least  40  days  prior  to  the  I  Congress 
start  of  a  matching  program*  | 


*  Review  Period:  Note  that  the  statutory  reporting  requirement  is  30  days 
prior;  the  additional  ten  days  will  ensure  that  OMB  and  Congress  have 
sufficient  time  to  review  the  proposal.  Agencies  should  therefore  ensure  that 
reports  are  mailed  expeditiously  after  being  signed. 

**  Recipient  Addresses:  At  bottom  of  envelope  print  "PRIVACY  ACT  REPORT" 

House  of  Representatives: 

The  Chair  of  the  House  Committee  on  Government  Reform  and  Oversight,  2157 
RHOB,  Washington,  D.C.  20515-6143. 

Senate : 

The  Chair  of  the  Senate  Committee  on  Governmental  Affairs,  340  SDOB, 

Washington,  D.C.  20510-6250. 

Office  of  Management  and  Budget: 

The  Administrator  of  the  Office  of  Information  and  Regulatory  Affairs,  Office 
of  Management  and  Budget,  ATTN:  Docket  Library,  NEOB  Room  10012,  Washington, 
D.C.  20503. 

a.  Biennial  Privacy  Act  Report.  To  provide  the  necessary  information  for 
the  biennial  report  of  the  President,  agencies  shall  submit  a  biennial  report 
to  OMB,  covering  their  Privacy  Act  activities  for  the  calendar  years  covered 
by  the  reporting  period.  The  exact  format  of  the  report  will  be  established 
by  OMB.  At  a  minimum,  however,  agencies  should  collect  and  be  prepared  to 
report  the  following  data  on  a  calendar  year  basis: 

(1)  A  listing  of  publication  activity  during  the  year  showing  the 
following : 

*  Total  Number  of  Systems  of  Records  (Exempt/NonExempt) 

*  Number  of  New  Systems  of  Records  Added  (Exempt/NonExempt) 

*  Number  Routine  Uses  Added 

*  Number  Exemptions  Added  to  Existing  Systems 

*  Number  Exemptions  Deleted  from  Existing  Systems 

*  Total  Number  of  Automated  Systems  of  Records  (Exempt/NonExempt) 

The  agency  should  provide  a  brief  narrative  describing  those  activities  in 
detail,  e.g.,  "the  Department  added  a  (k) (1)  exemption  to  an  existing  system 
of  records  entitled  "Investigative  Records  of  the  Office  of  Investigations;" 
or  "the  agency  added  a  new  routine  use  to  a  system  of  records  entitled 
"Employee  Health  Records"  that  would  permit  disclosure  of  health  data  to 
researchers  under  contract  to  the  agency  to  perform  workplace  risk  analysis." 

(2)  A  brief  description  of  any  public  comments  received  on  agency 
publication  and  implementation  activities,  and  agency  response. 

(3)  Number  of  access  and  amendment  requests  from  record  subjects  citing 
the  Privacy  Act  that  were  received  during  the  calendar  year  of  the  report. 

Also  the  disposition  of  requests  from  any  year  that  were  completed  during  the 
calendar  year  of  the  report: 

*  Total  Number  of  Access  Requests 
Number  Granted  in  Whole 

Number  Granted  in  Part 


Number  Wholly  Denied 

Number  For  Which  No  Record  Found 

*  Total  Amendment  Requests 
Number  Granted  in  Whole 
Number  Granted  in  Part 
Number  Wholly  Denied 

*  Number  of  Appeals  of  Denials  of  Access 
Number  Granted  in  Whole 

Number  Granted  in  Part 

Number  Wholly  Denied 

Number  For  Which  No  Record  Found 

*  Number  of  Appeals  of  Denials  of  Amendment 
Number  Granted  in  Whole 

Number  Granted  in  Part 
Number  Wholly  Denied 

(4)  Number  of  instances  in  which  individuals  brought  suit  under  section 
(g)  of  the  Privacy  Act  against  the  agency  and  the  results  of  any  such 
litigation  that  resulted  in  a  change  to  agency  practices  or  affected  guidance 
issued  by  OMB. 

(5)  Results  of  the  reviews  undertaken  in  response  to  paragraph  3a  of 
this  Appendix. 

(6)  Description  of  agency  Privacy  Act  training  activities  conducted  in 
accordance  with  paragraph  3a  (6)  of  this  Appendix. 

b.  Biennial  Matching  Activity  Report  (See  5  U.S.C.  552a  (u)  (3)  (D) )  .  At  the 
end  of  each  calendar  year,  the  Data  Integrity  Board  of  each  agency  that  has 
participated  in  a  matching  program  will  collect  data  summarizing  that  year's 
matching  activity.  The  Act  requires  that  such  activity  be  reported  every  two 
years.  OMB  will  establish  the  exact  format  of  the  report,  but  agencies'  Data 
Integrity  Boards  should  be  prepared  to  report  the  data  identified  below  both 
to  the  agency  head  and  to  OMB: 

(1)  A  listing  of  the  names  and  positions  of  the  members  of  the  Data 
Integrity  Board  and  showing  separately  the  name  of  the  Board  Secretary,  his  or 
her  agency  mailing  address,  and  telephone  number.  Also  show  and  explain  any 
changes  in  membership  or  structure  occurring  during  the  reporting  year. 

(2)  A  listing  of  each  matching  program,  by  title  and  purpose,  in  which 
the  agency  participated  during  the  reporting  year.  This  listing  should  show 
names  of  participant  agencies,  give  a  brief  description  of  the  program,  and 
give  a  page  citation  and  the  date  of  the  Federal  Register  notice  describing 
the  program. 

(3)  For  each  matching  program,  an  indication  of  whether  the 
cost/benefit  analysis  performed  resulted  in  a  favorable  ratio.  The  Data 
Integrity  Board  should  explain  why  the  agency  proceeded  with  any  matching 
program  for  which  an  unfavorable  ratio  was  reached. 

(4)  For  each  program  for  which  the  Board  waived  a  cost/benefit 
analysis,  the  reasons  for  the  waiver  and  the  results  of  the  match,  if 
tabulated . 

(5)  A  description  of  any  matching  agreement  the  Board  rejected  and  an 
explanation  of  the  rejection. 


(6)  A  listing  of  any  violations  of  matching  agreements  that  have  been 
alleged  or  identified,  and  a  discussion  of  any  action  taken. 

(7)  A  discussion  of  any  litigation  involving  the  agency's  participation 
in  any  matching  program. 

(8)  For  any  litigation  based  on  allegations  of  inaccurate  records,  an 
explanation  of  the  steps  the  agency  used  to  ensure  the  integrity  of  its  data 
as  well  as  the  verification  process  it  used  in  the  matching  program,  including 
an  assessment  of  the  adequacy  of  each. 

c.  New  and  Altered  System  of  Records  Report.  The  Act  requires  agencies  to 
publish  notices  in  the  Federal  Register  describing  new  or  altered  systems  of 
records,  and  to  submit  reports  to  OMB,  and  to  the  Chair  of  the  Committee  on 
Government  Reform  and  Oversight  of  the  House  of  Representatives,  and  the  Chair 
of  the  Committee  on  Governmental  Affairs  of  the  Senate.  The  reports  must  be 
transmitted  at  least  40  days  prior  to  the  operation  of  the  new  system  of 
records  or  the  date  on  which  the  alteration  to  an  existing  system  takes  place. 

(1)  Which  Alterations  Require  a  Report.  Minor  changes  to  systems  of 
records  need  not  be  reported.  For  example,  a  change  in  the  designation  of  the 
system  manager  due  to  a  reorganization  would  not  require  a  report,  so  long  as 
an  individual's  ability  to  gain  access  to  his  or  her  records  is  not  affected. 
Other  examples  include  changing  applicable  safeguards  as  a  result  of  a  risk 
analysis  or  deleting  a  routine  use  when  there  is  no  longer  a  need  for  the 
disclosure.  The  following  changes  are  those  for  which  a  report  is  required: 


(a)  A  significant  increase  in  the  number,  type,  or 


category 

of  individuals  about  whom  records  are  maintained.  For  example,  a  system 
covering  physicians  that  has  been  expanded  to  include  other  types  of  health 
care  providers,  e.g.,  nurses,  technicians,  etc.,  would  require  a  report. 
Increases  attributable  to  normal  growth  should  not  be  reported. 


(b)  A  change  that  expands  the  types  or  categories  of 
information  maintained.  For  example,  a  benefit  system  which  originally 
included  only  earned  income  information  that  has  been  expanded  to  include 
unearned  income  information. 


(c)  A  change  that  alters  the  purpose  for  which  the 

information  is  used. 

(d)  A  change  to  equipment  configuration  (either  hardware 
or 

software)  that  creates  substantially  greater  access  to  the  records  in  the 
system  of  records.  For  example,  locating  interactive  terminals  at  regional 
offices  for  accessing  a  system  formerly  accessible  only  at  the  headquarters 
would  require  a  report. 

(e)  The  addition  of  an  exemption  pursuant  to  Section  (j) 
or 

(k)  of  the  Act.  Note  that,  in  examining  a  rulemaking  for  a  Privacy  Act 
exemption  as  part  of  a  report  of  a  new  or  altered  system  of  records,  OMB  will 
also  review  the  rule  under  applicable  regulatory  review  procedures  and 
agencies  need  not  make  a  separate  submission  for  that  purpose. 


552a (b)  (3)  . 


(f)  The  addition  of  a  routine  use  pursuant  to  5  U.S.C. 


(2)  Reporting  Changes  to  Multiple  Systems  of  Records.  When  an  agency 
makes  a  change  to  an  information  technology  installation  or  a 

telecommunication  network,  or  makes  any  other  general  changes  in  information 
collection,  processing,  dissemination,  or  storage  that  affect  multiple  systems 
of  records,  it  may  submit  a  single,  consolidated  report,  with  changes  to 
existing  notices  and  supporting  documentation  included  in  the  submission. 

(3)  Contents  of  the  New  or  Altered  System  Report.  The  report  for  a  new 
or  altered  system  has  three  elements:  a  transmittal  letter,  a  narrative 
statement,  and  supporting  documentation. 

(a)  Transmittal  Letter.  The  transmittal  letter  should  be 
signed  by  the  senior  agency  official  responsible  for  implementation  of  the  Act 
within  the  agency  and  should  contain  the  name  and  telephone  number  of  the 
individual  who  can  best  answer  questions  about  the  system  of  records.  The 
letter  should  contain  the  agency's  assurance  that  the  proposed  system  does  not 
duplicate  any  existing  agency  or  government-wide  systems  of  records.  The 
letter  sent  to  OMB  may  also  include  a  request  for  waiver  of  the  time  period 
for  the  review.  The  agency  should  indicate  why  it  cannot  meet  the 
established  review  period  and  the  consequences  of  not  obtaining  the  waiver. 

(See  paragraph  4e  below.)  There  is  no  prescribed  format  for  the  letter. 

(b)  Narrative  Statement.  There  is  also  no  prescribed 
format  for  the  narrative  statement,  but  it  should  be  brief.  It  should  make 
reference,  as  appropriate,  to  information  in  the  supporting  documentation 
rather  than  restating  such  information.  The  statement  should: 

1.  Describe  the  purpose  for  which  the  agency  is 
establishing  the  system  of  records. 

2.  Identify  the  authority  under  which  the  system  of 
records  is  maintained.  The  agency  should  avoid  citing  housekeeping  statutes, 
but  rather  cite  the  underlying  programmatic  authority  for  collecting, 
maintaining,  and  using  the  information.  When  the  system  is  being  operated  to 
support  an  agency  housekeeping  program,  e.g.,  a  carpool  locator,  the  agency 
may,  however,  cite  a  general  housekeeping  statute  that  authorizes  the  agency 
head  to  keep  such  records  as  necessary. 

3.  Provide  the  agency's  evaluation  of  the  probable 
or 

potential  effect  of  the  proposal  on  the  privacy  of  individuals. 

4.  Provide  a  brief  description  of  the  steps  taken 
by 

the  agency  to  minimize  the  risk  of  unauthorized  access  to  the  system  of 
records.  A  more  detailed  assessment  of  the  risks  and  specific  administrative, 
technical,  procedural,  and  physical  safeguards  established  shall  be  made 
available  to  OMB  upon  request. 

5.  Explain  how  each  proposed  routine  use  satisfies 
the  compatibility  requirement  of  subsection  (a) (7)  of  the  Act.  For  altered 
systems,  this  requirement  pertains  only  to  any  newly  proposed  routine  use. 


6.  Provide  OMB  Control  Numbers,  expiration  dates. 


and 

titles  of  any  information  collection  requests  (e.g.,  forms,  surveys,  etc.) 
contained  in  the  system  of  records  and  approved  by  OMB  under  the  Paperwork 
Reduction  Act.  If  the  request  for  OMB  clearance  of  an  information 
collection  is  pending,  the  agency  may  simply  state  the  title  of  the  collection 
and  the  date  it  was  submitted  for  OMB  clearance. 

(c)  Supporting  Documentation.  Attach  the  following  to  all 
new  or  altered  system  of  records  reports: 

1 .  A  copy  of  the  new  or  altered  system  of  records 
notice  consistent  with  the  provisions  of  5  U.S.C.  552a (e) (4) .  The  notice 
must  appear  in  the  format  prescribed  by  the  Office  of  the  Federal  Register's 
Document  Drafting  Handbook.  For  proposed  altered  systems  the  agency  should 
supply  a  copy  of  the  original  system  of  records  notice  to  ensure  that 
reviewers  can  understand  the  changes  proposed.  If  the  sole  change  to  an 
existing  system  of  records  is  to  add  a  routine  use,  the  agency  should  either 
republish  the  entire  system  of  records  notice,  a  condensed  description  of  the 
system  of  records,  or  a  citation  to  the  last  full  text  Federal  Register 
publication . 


2.  A  copy  in  Federal  Register  format  of  any  new 
exemption  rules  or  changes  to  published  rules  (consistent  with  the  provisions 
of  5  U.S.C.  552a  (f),  (j),  or  (k) )  that  the  agency  proposes  to  issue  for  the  new 
or  altered  system. 

(4)  OMB  Review.  OMB  will  review  reports  under  5  U.S.C.  552a (r)  and 
provide  comments  if  appropriate.  Agencies  may  assume  that  OMB  concurs  in  the 
Privacy  Act  aspects  of  their  proposal  if  OMB  has  not  commented  within  40  days 
from  the  date  the  transmittal  letter  was  signed.  Agencies  should  ensure  that 
letters  are  transmitted  expeditiously  after  they  are  signed. 

(5)  Timing  of  Systems  of  Records  Reports.  Agencies  may  publish  system 
of  records  and  routine  use  notices  as  well  as  proposed  exemption  rules  in  the 
Federal  Register  at  the  same  time  that  they  send  the  new  or  altered  system 
report  to  OMB  and  Congress.  The  period  for  OMB  and  congressional  review  and 
the  notice  and  comment  period  for  routine  uses  and  exemptions  will  then  run 
concurrently.  Note  that  exemptions  must  be  published  as  final  rules  before 
they  are  effective. 

d.  New  or  Altered  Matching  Program  Report.  The  Act  requires  agencies  to 
publish  notices  in  the  Federal  Register  describing  new  or  altered  matching 
programs,  and  to  submit  reports  to  OMB,  and  to  Congress.  The  report  must  be 
received  at  least  40  days  prior  to  the  initiation  of  any  matching  activity 
carried  out  under  a  new  or  substantially  altered  matching  program.  For 
renewals  of  continuing  programs,  the  report  must  be  dated  at  least  40  days 
prior  to  the  expiration  of  any  existing  matching  agreement. 

(1)  When  to  Report  Altered  Matching  Programs.  Agencies  need  not  report 
minor  changes  to  matching  programs.  The  term  "minor  change  to  a  matching 
program"  means  a  change  that  does  not  significantly  alter  the  terms  of  the 
agreement  under  which  the  program  is  being  carried  out.  Examples  of 
significant  changes  include: 


established . 


(a)  Changing  the  purpose  for  which  the  program  was 


(b)  Changing  the  matching  population,  either  by  including 
new  categories  of  record  subjects  or  by  greatly  increasing  the  numbers  of 
records  matched. 


(c) 

program. 

(d) 

the  matching  program. 


Changing  the  legal  authority  covering  the  matching 


Changing  the  source  or  recipient  agencies  involved  in 


(2)  Contents  of  New  or  Altered  Matching  Program  Report.  The  report  for 
a  new  or  altered  matching  program  has  three  elements:  a  transmittal  letter,  a 
narrative  statement,  and  supporting  documentation  that  includes  a  copy  of  the 
proposed  Federal  Register  notice. 


(a)  Transmittal  Letter.  The  transmittal  letter  should  be 
signed  by  the  senior  agency  official  responsible  for  implementation  of  the 
Privacy  Act  within  the  agency  and  should  contain  the  name  and  telephone  number 
of  the  individual  who  can  best  answer  questions  about  the  matching  program. 

The  letter  should  state  that  a  copy  of  the  matching  agreement  has  been 
distributed  to  Congress  as  the  Act  requires.  The  letter  to  OMB  may  also 
include  a  request  for  waiver  of  the  review  time  period.  (See  4e  below.) 


(b)  Narrative  Statement.  There  is  no  prescribed  format 

for 

the  narrative  statement,  but  it  should  be  brief.  It  should  make  reference,  as 
appropriate,  to  information  in  the  supporting  documentation  rather  than 
restating  such  information.  The  statement  should  provide: 

1.  A  description  of  the  purpose  of  the  matching 
program  and  the  authority  under  which  it  is  being  carried  out. 


2.  A  description  of  the  security  safeguards  used  to 
protect  against  any  unauthorized  access  or  disclosure  of  records  used  in  the 
match . 


3.  If  the  cost/benefit  analysis  required  by  Section 
(u) (4) (A)  indicated  an  unfavorable  ratio  or  was  waived  pursuant  to  OMB 
guidance,  an  explanation  of  the  basis  on  which  the  agency  justifies  conducting 
the  match. 


(c)  Supporting  Documentation.  Attach  the  following: 

1.  A  copy  of  the  Federal  Register  notice  describing 
the  matching  program.  The  notice  must  appear  in  the  format  prescribed  by  the 
Office  of  the  Federal  Register's  Document  Drafting  Handbook.  (See  5b  (3) .) 


matching  agreement. 


2.  For  the  Congressional  report  only,  a  copy  of  the 


(3)  OMB  Review.  OMB  will  review  reports  under  5  U.S.C.  552a  (r)  and 
provide  comments  if  appropriate.  Agencies  may  assume  that  OMB  concurs  in  the 
Privacy  Act  aspects  of  their  proposal  if  OMB  has  not  commented  within  40  days 
from  the  date  the  transmittal  letter  was  signed. 


(4)  Timing  of  Matching  Program  Reports.  Agencies  should  ensure  that 


letters  are  transmitted  expeditiously  after  they  are  signed.  Agencies  may 
publish  matching  program  notices  in  the  Federal  Register  at  the  same  time  that 
they  send  the  matching  program  report  to  OMB  and  Congress.  The  period  for  0MB 
and  congressional  review  and  the  notice  and  comment  period  will  then  run 
concurrently . 

e.  Expedited  Review.  The  Director,  OMB,  may  grant  a  waiver  of  the  40-day 
review  period  for  either  systems  of  records  or  matching  program  reviews.  The 
agency  must  ask  for  the  waiver  in  the  transmittal  letter  and  demonstrate 
compelling  reasons.  When  a  waiver  is  granted,  the  agency  is  not  thereby 
relieved  of  any  other  requirement  of  the  Act.  If  no  waiver  is  granted, 
agencies  may  presume  concurrence  at  the  expiration  of  the  40  day  review  period 
if  OMB  has  not  commented  by  that  time.  Note  that  OMB  cannot  waive  time 
periods  specifically  established  by  the  Act  such  as  the  30  days  notice  and 
comment  period  required  for  the  adoption  of  a  routine  use  proposal  pursuant  to 
Section  (b) (3)  of  the  Act. 

5.  Publication  Requirements.  The  Privacy  Act  requires  agencies  to  publish 
notices  or  rules  in  the  Federal  Register  in  the  following  circumstances:  when 
adopting  a  new  or  altered  system  of  records,  when  adopting  a  routine  use,  when 
adopting  an  exemption  for  a  system  of  records,  or  when  proposing  to  carry  out 
a  new  or  altered  matching  program.  (See  paragraph  4c  (1)  and  4d(l)  above  on 
what  constitutes  an  alteration  requiring  a  report  to  OMB  and  the  Congress.) 

a.  Publishing  New  or  Altered  Systems  of  Records  Notices  and  Exemption 
Rules . 


(1)  Who  Publishes.  The  agency  responsible  for  operating  the  system  of 
records  makes  the  necessary  publication.  Publication  should  be  carried  out  at 
the  departmental  or  agency  level.  Even  where  a  system  of  records  is  to  be 
operated  exclusively  by  a  component,  the  department  rather  than  the  component 
should  publish  the  notice.  Thus,  for  example,  the  Department  of  the  Treasury 
would  publish  a  system  of  records  notice  covering  a  system  operated 
exclusively  by  the  Internal  Revenue  Service.  Note  that  if  the  agency  is 
proposing  to  exempt  the  system  under  Section  (j)  or  (k)  of  the  Act,  it  must 
publish  a  rule  in  addition  to  the  system  of  records  notice. 

(a)  Government-wide  Systems  of  Records.  Certain  agencies 
publish  systems  of  records  containing  records  for  which  they  have  government¬ 
wide  responsibilities.  The  records  may  be  located  in  other  agencies,  but  they 
are  being  used  under  the  authority  of  and  in  conformance  with  the  rules 
mandated  by  the  publishing  agency.  The  Office  of  Personnel  Management,  for 
example,  has  published  a  number  of  government-wide  systems  of  records  relating 
to  the  operation  of  the  government's  personnel  program.  Agencies  should  not 
publish  systems  of  records  that  wholly  or  partly  duplicate  existing 
government-wide  systems  of  records. 

(b)  Section  (m)  Contract  Provisions.  When  an  agency 
provides  by  contract  for  the  operation  of  a  system  of  records,  it  should 
ensure  that  a  system  of  records  notice  describing  the  system  has  been 
published.  It  should  also  review  the  notice  to  ensure  that  it  contains  a 
routine  use  under  Section  (e) (4) (D)  of  the  Act  permitting  disclosure  to  the 
contractor  and  his  or  her  personnel. 

(2)  When  to  Publish. 


(a)  System  Notice.  The  system  of  records  notice  must 


appear  in  the  Federal  Register  before  the  agency  begins  to  operate  the  system, 
e.g.,  collect  and  use  the  information. 

(b)  Routine  Use.  A  routine  use  must  be  published  in  the 
Federal  Register  30  days  before  the  agency  discloses  records  pursuant  to  its 
terms.  (Note  that  the  addition  of  a  routine  use  to  an  existing  system  of 
records  requires  a  report  to  OMB  and  Congress,  and  that  the  review  period  for 
this  report  is  40  days.) 

(c)  Exemption  Rule.  A  rule  exempting  a  system  of  records 
under  (j)  or  (k)  or  the  Act  must  be  established  through  informal  rulemaking 
pursuant  to  the  Administrative  Procedure  Act.  This  process  generally  requires 
publication  of  a  proposed  rule,  a  period  during  which  the  public  may  comment, 
publication  of  a  final  rule,  and  the  adoption  of  the  final  rule.  Agencies  may 
not  withhold  records  under  an  exemption  until  these  requirements  have  been 

met . 


(3)  Format.  Agencies  should  follow  the  publication  format  contained  in 
the  Office  of  the  Federal  Register's  Document  Drafting  Handbook  which  may  be 
obtained  from  the  Government  Printing  Office. 

b.  Publishing  Matching  Notices. 

(1)  Who  Publishes.  Generally,  the  recipient  Federal  agency  (or  the 
Federal  source  agency  in  a  match  conducted  by  a  nonfederal  agency)  is 
responsible  for  publishing  in  the  Federal  Register  a  notice  describing  the  new 
or  altered  matching  program.  However,  in  large,  multi-agency  matching 
programs,  where  the  recipient  agency  is  merely  performing  the  matches,  and  the 
benefit  accrues  to  the  source  agencies,  the  partners  should  assign 
responsibility  for  compliance  with  the  administrative  requirements  in  a  fair 
and  reasonable  way.  This  may  mean  having  the  matching  agency  carry  out  these 
requirements  for  all  parties,  having  one  participant  designated  to  do  so,  or 
having  each  source  agency  do  so  for  its  own  matching  program (s) . 

(2)  Timing.  Publication  must  occur  at  least  30  days  prior  to  the 
initiation  of  any  matching  activity  carried  out  under  a  new  or  substantially 
altered  matching  program.  For  renewals  of  programs  agencies  wish  to  continue 
past  the  30  month  period  of  initial  eligibility  (i.e.,  the  initial  18  months 
plus  a  one  year  extension) ,  publication  must  occur  at  least  30  days  prior  to 
the  expiration  of  the  existing  matching  agreement.  (But  note  that  a  report  to 
OMB  and  the  Congress  is  also  required  with  a  40  day  review  period) . 

(3)  Format.  The  matching  notice  shall  be  in  the  format  prescribed  by 
the  Office  of  the  Federal  Register's  Document  Drafting  Handbook  and  contain 
the  following  information: 

(a)  The  name  of  the  Recipient  Agency. 

(b)  The  Name(s)  of  the  Source  Agencies. 

(c)  The  beginning  and  ending  dates  of  the  match. 

(d)  A  brief  description  of  the  matching  program,  includin 
its  purpose;  the  legal  authorities  authorizing  its  operation;  categories  of 
individuals  involved;  and  identification  of  records  used,  including  name(s)  of 
Privacy  Act  Systems  of  records. 


(e)  The  identification,  address,  and  telephone  number  of  a 
Recipient  Agency  official  who  will  answer  public  inquiries  about  the  program. 


Appendix  II  to  OMB  Circular  No.  A-130  -  Cost  Accounting,  Cost  Recovery,  and 
Interagency  Sharing  of  Information  Technology  Facilities  [  The  guidance 
formerly  found  in  Appendix  II  has  been  revised  and  placed  in  Section  8b.  See, 
Transmittal  No.  2,  59  FR  37906.  Appendix  II  has  been  deleted  and  is  reserved 
for  future  topics.] 


Appendix  III  to  OMB  Circular  No.  A-130  -  Security  of  Federal  Automated 
Information  Resources 

A.  Requirements. 

1 .  Purpose 

This  Appendix  establishes  a  minimum  set  of  controls  to  be  included  in  Federal 
automated  information  security  programs;  assigns  Federal  agency 
responsibilities  for  the  security  of  automated  information;  and  links  agency 
automated  information  security  programs  and  agency  management  control  systems 
established  in  accordance  with  OMB  Circular  No.  A-123.  The  Appendix  revises 
procedures  formerly  contained  in  Appendix  III  to  OMB  Circular  No.  A-130  (50  FR 

52730;  December  24,  1985),  and  incorporates  requirements  of  the  Computer 
Security  Act  of  1987  (P.L.  100-235)  and  responsibilities  assigned  in 

applicable  national  security  directives. 

2 .  Definitions 
The  term: 

a.  "adequate  security"  means  security  commensurate  with  the  risk  and 
magnitude  of  the  harm  resulting  from  the  loss,  misuse,  or  unauthorized 
access  to  or  modification  of  information.  This  includes  assuring  that 
systems  and  applications  used  by  the  agency  operate  effectively  and  provide 
appropriate  confidentiality,  integrity,  and  availability,  through  the  use 
of  cost-effective  management,  personnel,  operational,  and  technical 
controls . 

b.  "application"  means  the  use  of  information  resources  (information  and 
information  technology)  to  satisfy  a  specific  set  of  user  requirements. 

c.  "general  support  system"  or  "system"  means  an  interconnected  set  of 
information  resources  under  the  same  direct  management  control  which  shares 
common  functionality.  A  system  normally  includes  hardware,  software, 
information,  data,  applications,  communications,  and  people.  A  system  can 
be,  for  example,  a  local  area  network  (LAN)  including  smart  terminals  that 
supports  a  branch  office,  an  agency-wide  backbone,  a  communications 
network,  a  departmental  data  processing  center  including  its  operating 
system  and  utilities,  a  tactical  radio  network,  or  a  shared  information 
processing  service  organization  (IPSO) . 

d.  "major  application"  means  an  application  that  requires  special  attention 
to  security  due  to  the  risk  and  magnitude  of  the  harm  resulting  from  the 
loss,  misuse,  or  unauthorized  access  to  or  modification  of  the  information 
in  the  application.  Note:  All  Federal  applications  require  some  level  of 
protection.  Certain  applications,  because  of  the  information  in  them, 
however,  require  special  management  oversight  and  should  be  treated  as 
major.  Adequate  security  for  other  applications  should  be  provided  by 
security  of  the  systems  in  which  they  operate. 

3.  Automated  Information  Security  Programs.  Agencies  shall  implement  and 
maintain  a  program  to  assure  that  adequate  security  is  provided  for  all  agency 
information  collected,  processed,  transmitted,  stored,  or  disseminated  in 
general  support  systems  and  major  applications. 


Each  agency's  program  shall  implement  policies,  standards  and  procedures  which 
are  consistent  with  government-wide  policies,  standards,  and  procedures  issued 
by  the  Office  of  Management  and  Budget,  the  Department  of  Commerce,  the 
General  Services  Administration  and  the  Office  of  Personnel  Management  (OPM) . 
Different  or  more  stringent  requirements  for  securing  national  security 
information  should  be  incorporated  into  agency  programs  as  required  by 
appropriate  national  security  directives.  At  a  minimum,  agency  programs  shall 
include  the  following  controls  in  their  general  support  systems  and  major 
applications : 

a.  Controls  for  general  support  systems. 

1)  Assign  Responsibility  for  Security.  Assign  responsibility  for 
security  in  each  system  to  an  individual  knowledgeable  in  the 
information  technology  used  in  the  system  and  in  providing  security  for 
such  technology. 

2)  System  Security  Plan.  Plan  for  adequate  security  of  each  general 
support  system  as  part  of  the  organization's  information  resources 
management  (IRM)  planning  process.  The  security  plan  shall  be 
consistent  with  guidance  issued  by  the  National  Institute  of  Standards 
and  Technology  (NIST) .  Independent  advice  and  comment  on  the  security 
plan  shall  be  solicited  prior  to  the  plan's  implementation.  A  summary 
of  the  security  plans  shall  be  incorporated  into  the  strategic  IRM  plan 
required  by  the  Paperwork  Reduction  Act  (44  U.S.C.  Chapter  35)  and 
Section  8(b)  of  this  circular.  Security  plans  shall  include: 

a)  Rules  of  the  System.  Establish  a  set  of  rules  of 
behavior  concerning  use  of,  security  in,  and  the  acceptable 
level  of  risk  for,  the  system.  The  rules  shall  be  based  on 
the  needs  of  the  various  users  of  the  system.  The  security 
required  by  the  rules  shall  be  only  as  stringent  as 
necessary  to  provide  adequate  security  for  information  in 
the  system.  Such  rules  shall  clearly  delineate 
responsibilities  and  expected  behavior  of  all  individuals 
with  access  to  the  system.  They  shall  also  include 
appropriate  limits  on  interconnections  to  other  systems  and 
shall  define  service  provision  and  restoration  priorities. 
Finally,  they  shall  be  clear  about  the  consequences  of 
behavior  not  consistent  with  the  rules. 

b)  Training.  Ensure  that  all  individuals  are  appropriately 
trained  in  how  to  fulfill  their  security  responsibilities 
before  allowing  them  access  to  the  system.  Such  training 
shall  assure  that  employees  are  versed  in  the  rules  of  the 
system,  be  consistent  with  guidance  issued  by  NIST  and  OPM, 
and  apprise  them  about  available  assistance  and  technical 
security  products  and  techniques.  Behavior  consistent  with 
the  rules  of  the  system  and  periodic  refresher  training 
shall  be  required  for  continued  access  to  the  system. 

c)  Personnel  Controls.  Screen  individuals  who  are 
authorized  to  bypass  significant  technical  and  operational 
security  controls  of  the  system  commensurate  with  the  risk 
and  magnitude  of  harm  they  could  cause.  Such  screening 
shall  occur  prior  to  an  individual  being  authorized  to 
bypass  controls  and  periodically  thereafter. 


d)  Incident  Response  Capability.  Ensure  that  there  is  a 
capability  to  provide  help  to  users  when  a  security 

incident 

occurs  in  the  system  and  to  share  information  concerning 
common  vulnerabilities  and  threats.  This  capability  shall 
share  information  with  other  organizations,  consistent  with 
NIST  coordination,  and  should  assist  the  agency  in  pursuing 
appropriate  legal  action,  consistent  with  Department  of 
Justice  guidance. 

e)  Continuity  of  Support.  Establish  and  periodically  test 
the  capability  to  continue  providing  service  within  a 

system 

based  upon  the  needs  and  priorities  of  the  participants  of 
the  system. 

f)  Technical  Security.  Ensure  that  cost-effective  security 
products  and  techniques  are  appropriately  used  within  the 
system. 

g)  System  Interconnection.  Obtain  written  management 
authorization,  based  upon  the  acceptance  of  risk  to  the 
system,  prior  to  connecting  with  other  systems.  Where 
connection  is  authorized,  controls  shall  be  established 
which  are  consistent  with  the  rules  of  the  system  and  in 
accordance  with  guidance  from  NIST. 

3)  Review  of  Security  Controls.  Review  the  security  controls  in  each 
system  when  significant  modifications  are  made  to  the  system,  but  at 
least  every  three  years.  The  scope  and  frequency  of  the  review  should 
be  commensurate  with  the  acceptable  level  of  risk  for  the  system. 
Depending  on  the  potential  risk  and  magnitude  of  harm  that  could  occur, 
consider  identifying  a  deficiency  pursuant  to  OMB  Circular  No.  A-123, 
"Management  Accountability  and  Control"  and  the  Federal  Managers' 
Financial  Integrity  Act  (FMFIA) ,  if  there  is  no  assignment  of  security 
responsibility,  no  security  plan,  or  no  authorization  to  process  for  a 
system. 

4)  Authorize  Processing.  Ensure  that  a  management  official  authorizes 
in  writing  the  use  of  each  general  support  system  based  on 
implementation  of  its  security  plan  before  beginning  or  significantly 
changing  processing  in  the  system.  Use  of  the  system  shall  be  re¬ 
authorized  at  least  every  three  years. 

b.  Controls  for  Major  Applications. 

1)  Assign  Responsibility  for  Security.  Assign  responsibility  for 
security  of  each  major  application  to  a  management  official 
knowledgeable  in  the  nature  of  the  information  and  process  supported  by 
the  application  and  in  the  management,  personnel,  operational,  and 
technical  controls  used  to  protect  it.  This  official  shall  assure  that 
effective  security  products  and  techniques  are  appropriately  used  in  the 
application  and  shall  be  contacted  when  a  security  incident  occurs 
concerning  the  application. 


2)  Application  Security  Plan.  Plan  for  the  adequate  security  of  each 


major  application,  taking  into  account  the  security  of  all  systems  in 
which  the  application  will  operate.  The  plan  shall  be  consistent  with 
guidance  issued  by  NIST.  Advice  and  comment  on  the  plan  shall  be 
solicited  from  the  official  responsible  for  security  in  the  primary 
system  in  which  the  application  will  operate  prior  to  the  plan's 
implementation.  A  summary  of  the  security  plans  shall  be  incorporated 
into  the  strategic  IRM  plan  required  by  the  Paperwork  Reduction  Act. 
Application  security  plans  shall  include: 


shall 


consequences 


a)  Application  Rules.  Establish  a  set  of  rules  concerning 
use  of  and  behavior  within  the  application.  The  rules 

be  as  stringent  as  necessary  to  provide  adequate  security 
for  the  application  and  the  information  in  it.  Such  rules 
shall  clearly  delineate  responsibilities  and  expected 
behavior  of  all  individuals  with  access  to  the  application. 
In  addition,  the  rules  shall  be  clear  about  the 

of  behavior  not  consistent  with  the  rules. 


information 


as 

adequately 


b)  Specialized  Training.  Before  allowing  individuals 
access  to  the  application,  ensure  that  all  individuals 
receive  specialized  training  focused  on  their 
responsibilities  and  the  application  rules.  This  may  be  in 
addition  to  the  training  required  for  access  to  a  system. 
Such  training  may  vary  from  a  notification  at  the  time  of 
access  (e.g.,  for  members  of  the  public  using  an 

retrieval  application)  to  formal  training  (e.g.,  for  an 
employee  that  works  with  a  high-risk  application) . 

c)  Personnel  Security.  Incorporate  controls  such  as 
separation  of  duties,  least  privilege  and  individual 
accountability  into  the  application  and  application  rules 

appropriate.  In  cases  where  such  controls  cannot 

protect  the  application  or  information  in  it,  screen 
individuals  commensurate  with  the  risk  and  magnitude  of  the 
harm  they  could  cause.  Such  screening  shall  be  done  prior 
to  the  individuals'  being  authorized  to  access  the 
application  and  periodically  thereafter. 

d)  Contingency  Planning.  Establish  and  periodically  test 
the  capability  to  perform  the  agency  function  supported  by 
the  application  in  the  event  of  failure  of  its  automated 
support . 

e)  Technical  Controls.  Ensure  that  appropriate  security 
controls  are  specified,  designed  into,  tested,  and  accepted 
in  the  application  in  accordance  with  appropriate  guidance 
issued  by  NIST. 

f)  Information  Sharing.  Ensure  that  information  shared 


from 


the  application  is  protected  appropriately,  comparable  to 
the  protection  provided  when  information  is  within  the 


application . 


g)  Public  Access  Controls.  Where  an  agency's  application 
promotes  or  permits  public  access,  additional  security 
controls  shall  be  added  to  protect  the  integrity  of  the 
application  and  the  confidence  the  public  has  in  the 
application.  Such  controls  shall  include  segregating 
information  made  directly  accessible  to  the  public  from 
official  agency  records. 

3)  Review  of  Application  Controls.  Perform  an  independent  review  or 
audit  of  the  security  controls  in  each  application  at  least  every  three 
years.  Consider  identifying  a  deficiency  pursuant  to  OMB  Circular  No. 
A-123,  "Management  Accountability  and  Control"  and  the  Federal  Managers' 
Financial  Integrity  Act  if  there  is  no  assignment  of  responsibility  for 
security,  no  security  plan,  or  no  authorization  to  process  for  the 
application . 

4)  Authorize  Processing.  Ensure  that  a  management  official  authorizes 
in  writing  use  of  the  application  by  confirming  that  its  security  plan 
as  implemented  adequately  secures  the  application.  Results  of  the  most 
recent  review  or  audit  of  controls  shall  be  a  factor  in  management 
authorizations.  The  application  must  be  authorized  prior  to  operating 
and  re-authorized  at  least  every  three  years  thereafter.  Management 
authorization  implies  accepting  the  risk  of  each  system  used  by  the 
application . 

4.  Assignment  of  Responsibilities 

a.  Department  of  Commerce.  The  Secretary  of  Commerce  shall: 

1)  Develop  and  issue  appropriate  standards  and  guidance  for  the  security 
of  sensitive  information  in  Federal  computer  systems. 

2)  Review  and  update  guidelines  for  training  in  computer  security 
awareness  and  accepted  computer  security  practice,  with  assistance  from 
0PM. 

3)  Provide  agencies  guidance  for  security  planning  to  assist  in  their 
development  of  application  and  system  security  plans. 

4)  Provide  guidance  and  assistance,  as  appropriate,  to  agencies 
concerning  cost-effective  controls  when  interconnecting  with  other 
systems . 

5)  Coordinate  agency  incident  response  activities  to  promote  sharing  of 
incident  response  information  and  related  vulnerabilities. 

6)  Evaluate  new  information  technologies  to  assess  their  security 
vulnerabilities,  with  technical  assistance  from  the  Department  of 
Defense,  and  apprise  Federal  agencies  of  such  vulnerabilities  as  soon  as 
they  are  known . 

b.  Department  of  Defense.  The  Secretary  of  Defense  shall: 

1)  Provide  appropriate  technical  advice  and  assistance  (including  work 
products)  to  the  Department  of  Commerce. 


2)  Assist  the  Department  of  Commerce  in  evaluating  the  vulnerabilities 
of  emerging  information  technologies. 

c.  Department  of  Justice.  The  Attorney  General  shall: 

1)  Provide  appropriate  guidance  to  agencies  on  legal  remedies  regarding 
security  incidents  and  ways  to  report  and  work  with  law  enforcement 
concerning  such  incidents. 

2)  Pursue  appropriate  legal  actions  when  security  incidents  occur. 

d.  General  Services  Administration.  The  Administrator  of  General  Services 
shall : 

1)  Provide  guidance  to  agencies  on  addressing  security  considerations 
when  acquiring  automated  data  processing  equipment  (as  defined  in 
section  111(a) (2)  of  the  Federal  Property  and  Administrative  Services 
Act  of  1949,  as  amended) . 

2)  Facilitate  the  development  of  contract  vehicles  for  agencies  to  use 
in  the  acquisition  of  cost-effective  security  products  and  services 
(e.g.,  back-up  services). 

3)  Provide  appropriate  security  services  to  meet  the  needs  of  Federal 
agencies  to  the  extent  that  such  services  are  cost-effective. 

e.  Office  of  Personnel  Management.  The  Director  of  the  Office  of  Personnel 
Management  shall: 

1)  Assure  that  its  regulations  concerning  computer  security  training  for 
Federal  civilian  employees  are  effective. 

2)  Assist  the  Department  of  Commerce  in  updating  and  maintaining 
guidelines  for  training  in  computer  security  awareness  and  accepted 
computer  security  practice. 

f.  Security  Policy  Board.  The  Security  Policy  Board  shall  coordinate  the 
activities  of  the  Federal  government  regarding  the  security  of  information 
technology  that  processes  classified  information  in  accordance  with 
applicable  national  security  directives; 

Correction  of  Deficiencies  and  Reports 

a.  Correction  of  Deficiencies.  Agencies  shall  correct  deficiencies  which 
are  identified  through  the  reviews  of  security  for  systems  and  major 
applications  described  above. 

b.  Reports  on  Deficiencies.  In  accordance  with  OMB  Circular  No.  A-123, 
"Management  Accountability  and  Control",  if  a  deficiency  in  controls  is 
judged  by  the  agency  head  to  be  material  when  weighed  against  other  agency 
deficiencies,  it  shall  be  included  in  the  annual  FMFIA  report.  Less 
significant  deficiencies  shall  be  reported  and  progress  on  corrective 
actions  tracked  at  the  appropriate  agency  level. 

c.  Summaries  of  Security  Plans.  Agencies  shall  include  a  summary  of  their 
system  security  plans  and  major  application  plans  in  the  strategic  plan 


required  by  the  Paperwork  Reduction  Act  (44  U.S.C.  3506) . 


B.  Descriptive  Information. 

The  following  descriptive  language  is  explanatory.  It  is  included  to  assist 
in  understanding  the  requirements  of  the  Appendix. 

The  Appendix  re-orients  the  Federal  computer  security  program  to  better 
respond  to  a  rapidly  changing  technological  environment.  It  establishes 
government-wide  responsibilities  for  Federal  computer  security  and  requires 
Federal  agencies  to  adopt  a  minimum  set  of  management  controls.  These 
management  controls  are  directed  at  individual  information  technology  users  in 
order  to  reflect  the  distributed  nature  of  today's  technology. 

For  security  to  be  most  effective,  the  controls  must  be  part  of  day-to-day 
operations.  This  is  best  accomplished  by  planning  for  security  not  as  a 
separate  activity,  but  as  an  integral  part  of  overall  planning. 

"Adequate  security"  is  defined  as  "security  commensurate  with  the  risk  and 
magnitude  of  harm  resulting  from  the  loss,  misuse,  or  unauthorized  access  to 
or  modification  of  information."  This  definition  explicitly  emphasizes  the 
risk-based  policy  for  cost-effective  security  established  by  the  Computer 
Security  Act. 

The  Appendix  no  longer  requires  the  preparation  of  formal  risk  analyses.  In 
the  past,  substantial  resources  have  been  expended  doing  complex  analyses  of 
specific  risks  to  systems,  with  limited  tangible  benefit  in  terms  of  improved 
security  for  the  systems.  Rather  than  continue  to  try  to  precisely  measure 
risk,  security  efforts  are  better  served  by  generally  assessing  risks  and 
taking  actions  to  manage  them.  While  formal  risk  analyses  need  not  be 
performed,  the  need  to  determine  adequate  security  will  require  that  a  risk- 
based  approach  be  used.  This  risk  assessment  approach  should  include  a 
consideration  of  the  major  factors  in  risk  management:  the  value  of  the 
system  or  application,  threats,  vulnerabilities,  and  the  effectiveness  of 
current  or  proposed  safeguards.  Additional  guidance  on  effective  risk 
assessment  is  available  in  "An  Introduction  to  Computer  Security:  The  NIST 
Handbook"  (March  16,  1995)  . 

Discussion  of  the  Appendix's  Major  Provisions.  The  following  discussion  is 
provided  to  aid  reviewers  in  understanding  the  changes  in  emphasis  in  the 
Appendix . 

Automated  Information  Security  Programs.  Agencies  are  required  to  establish 
controls  to  assure  adequate  security  for  all  information  processed, 
transmitted,  or  stored  in  Federal  automated  information  systems.  This 
Appendix  emphasizes  management  controls  affecting  individual  users  of 
information  technology.  Technical  and  operational  controls  support  management 
controls.  To  be  effective,  all  must  interrelate.  For  example,  authentication 
of  individual  users  is  an  important  management  control,  for  which  password 
protection  is  a  technical  control.  However,  password  protection  will  only  be 
effective  if  both  a  strong  technology  is  employed,  and  it  is  managed  to  assure 
that  it  is  used  correctly. 

Four  controls  are  set  forth:  assigning  responsibility  for  security,  security 
planning,  periodic  review  of  security  controls,  and  management  authorization. 
The  Appendix  requires  that  these  management  controls  be  applied  in  two  areas 
of  management  responsibility:  one  for  general  support  systems  and  one  for 


major  applications. 


The  terms  "general  support  system"  and  "major  application"  were  used  in  OMB 
Bulletins  Nos.  88-16  and  90-08.  A  general  support  system  is  "an 
interconnected  set  of  information  resources  under  the  same  direct  management 
control  which  shares  common  functionality."  Such  a  system  can  be,  for 
example,  a  local  area  network  (LAN)  including  smart  terminals  that  supports  a 
branch  office,  an  agency-wide  backbone,  a  communications  network,  a 
departmental  data  processing  center  including  its  operating  system  and 
utilities,  a  tactical  radio  network,  or  a  shared  information  processing 
service  organization.  Normally,  the  purpose  of  a  general  support  system  is  to 
provide  processing  or  communications  support. 

A  major  application  is  a  use  of  information  and  information  technology  to 
satisfy  a  specific  set  of  user  requirements  that  requires  special  management 
attention  to  security  due  to  the  risk  and  magnitude  of  harm  resulting  from  the 
loss,  misuse  or  unauthorized  access  to  or  modification  of  the  information  in 
the  application.  All  applications  require  some  level  of  security,  and 
adequate  security  for  most  of  them  should  be  provided  by  security  of  the 
general  support  systems  in  which  they  operate.  However,  certain 
applications,  because  of  the  nature  of  the  information  in  them,  require 
special  management  oversight  and  should  be  treated  as  major.  Agencies  are 
expected  to  exercise  management  judgement  in  determining  which  of  their 
applications  are  major. 

The  focus  of  OMB  Bulletins  Nos.  88-16  and  90-08  was  on  identifying  and 
securing  both  general  support  systems  and  applications  which  contained 
sensitive  information.  The  Appendix  requires  the  establishment  of  security 
controls  in  all  general  support  systems,  under  the  presumption  that  all 
contain  some  sensitive  information,  and  focuses  extra  security  controls  on  a 
limited  number  of  particularly  high-risk  or  major  applications. 

a.  General  Support  Systems.  The  following  controls  are  required  in  all 
general  support  systems: 

1)  Assign  Responsibility  for  Security.  For  each  system,  an  individual 
should  be  a  focal  point  for  assuring  there  is  adequate  security  within  the 
system,  including  ways  to  prevent,  detect,  and  recover  from  security 
problems.  That  responsibility  should  be  assigned  in  writing  to  an 
individual  trained  in  the  technology  used  in  the  system  and  in  providing 
security  for  such  technology,  including  the  management  of  security  controls 
such  as  user  identification  and  authentication. 

2)  Security  Plan.  The  Computer  Security  Act  requires  that  security  plans 
be  developed  for  all  Federal  computer  systems  that  contain  sensitive 
information.  Given  the  expansion  of  distributed  processing  since  passage 
of  the  Act,  the  presumption  in  the  Appendix  is  that  all  general  support 
systems  contain  some  sensitive  information  which  requires  protection  to 
assure  its  integrity,  availability,  or  confidentiality,  and  therefore  all 
systems  require  security  plans. 

Previous  guidance  on  security  planning  was  contained  in  OMB  Bulletin  No. 
90-08.  This  Appendix  supersedes  OMB  Bulletin  90-08  and  expands  the 
coverage  of  security  plans  from  Bulletin  90-08  to  include  rules  of 
individual  behavior  as  well  as  technical  security.  Consistent  with  OMB 
Bulletin  90-08,  the  Appendix  directs  NIST  to  update  and  expand  security 
planning  guidance  and  issue  it  as  a  Federal  Information  Processing  Standard 


(FIPS) .  In  the  interim,  agencies  should  continue  to  use  the  Appendix  of 
OMB  Bulletin  No.  90-08  as  guidance  for  the  technical  portion  of  their 
security  plans. 

The  Appendix  continues  the  requirement  that  independent  advice  and  comment 
on  the  security  plan  for  each  system  be  sought.  The  intent  of  this 
requirement  is  to  improve  the  plans,  foster  communication  between  managers 
of  different  systems,  and  promote  the  sharing  of  security  expertise. 

This  Appendix  also  continues  the  requirement  from  the  Computer  Security  Act 
that  summaries  of  security  plans  be  included  in  agency  strategic 
information  resources  management  plans.  OMB  will  provide  additional 
guidance  about  the  contents  of  those  strategic  plans,  pursuant  to  the 
Paperwork  Reduction  Act  of  1995. 

The  following  specific  security  controls  should  be  included  in  the  security 
plan  for  a  general  support  system: 

a)  Rules.  An  important  new  requirement  for  security  plans  is  the 
establishment  of  a  set  of  rules  of  behavior  for  individual  users  of  each 
general  support  system.  These  rules  should  clearly  delineate 
responsibilities  of  and  expectations  for  all  individuals  with  access  to 
the  system.  They  should  be  consistent  with  system-specific  policy  as 
described  in  "An  Introduction  to  Computer  Security:  The  NIST  Handbook" 
(March  16,  1995)  .  In  addition,  they  should  state  the  consequences  of 
non-compliance.  The  rules  should  be  in  writing  and  will  form  the  basis 
for  security  awareness  and  training. 

The  development  of  rules  for  a  system  must  take  into  consideration  the 
needs  of  all  parties  who  use  the  system.  Rules  should  be  as  stringent 
as  necessary  to  provide  adequate  security.  Therefore,  the  acceptable 
level  of  risk  for  the  system  must  be  established  and  should  form  the 
basis  for  determining  the  rules. 

Rules  should  cover  such  matters  as  work  at  home,  dial-in  access, 
connection  to  the  Internet,  use  of  copyrighted  works,  unofficial  use  of 
government  equipment,  the  assignment  and  limitation  of  system 
privileges,  and  individual  accountability.  Often  rules  should  reflect 
technical  security  controls  in  the  system.  For  example,  rules  regarding 
password  use  should  be  consistent  with  technical  password  features  in 
the  system.  Rules  may  be  enforced  through  administrative  sanctions 
specifically  related  to  the  system  (e.g.  loss  of  system  privileges)  or 
through  more  general  sanctions  as  are  imposed  for  violating  other  rules 
of  conduct.  In  addition,  the  rules  should  specifically  address 
restoration  of  service  as  a  concern  of  all  users  of  the  system. 

b)  Training.  The  Computer  Security  Act  requires  Federal  agencies  to 
provide  for  the  mandatory  periodic  training  in  computer  security 
awareness  and  accepted  computer  security  practice  of  all  employees  who 
are  involved  with  the  management,  use  or  operation  of  a  Federal  computer 
system  within  or  under  the  supervision  of  the  Federal  agency.  This 
includes  contractors  as  well  as  employees  of  the  agency.  Access 
provided  to  members  of  the  public  should  be  constrained  by  controls  in 
the  applications  through  which  access  is  allowed,  and  training  should  be 
within  the  context  of  those  controls.  The  Appendix  enforces  such 
mandatory  training  by  requiring  its  completion  prior  to  granting  access 
to  the  system.  Each  new  user  of  a  general  support  system  in  some  sense 


introduces  a  risk  to  all  other  users.  Therefore,  each  user  should  be 
versed  in  acceptable  behavior  —  the  rules  of  the  system  —  before  being 
allowed  to  use  the  system.  Training  should  also  inform  the  individual 
how  to  get  help  in  the  event  of  difficulty  with  using  or  security  of  the 
system. 

Training  should  be  tailored  to  what  a  user  needs  to  know  to  use  the 
system  securely,  given  the  nature  of  that  use.  Training  may  be 
presented  in  stages,  for  example  as  more  access  is  granted.  In  some 
cases,  the  training  should  be  in  the  form  of  classroom  instruction.  In 
other  cases,  interactive  computer  sessions  or  well-written  and 
understandable  brochures  may  be  sufficient,  depending  on  the  risk  and 
magnitude  of  harm. 

Over  time,  attention  to  security  tends  to  dissipate.  In  addition, 
changes  to  a  system  may  necessitate  a  change  in  the  rules  or  user 
procedures.  Therefore,  individuals  should  periodically  have  refresher 
training  to  assure  that  they  continue  to  understand  and  abide  by  the 
applicable  rules. 

To  assist  agencies,  the  Appendix  requires  NIST,  with  assistance  from  the 
Office  of  Personnel  Management  (OPM),  to  update  its  existing  guidance. 

It  also  proposes  that  OPM  assure  that  its  rules  for  computer  security 
training  for  Federal  civilian  employees  are  effective. 

c)  Personnel  Controls.  It  has  long  been  recognized  that  the  greatest 
harm  has  come  from  authorized  individuals  engaged  in  improper 
activities,  whether  intentional  or  accidental.  In  every  general  support 
system,  a  number  of  technical,  operational,  and  management  controls  are 
used  to  prevent  and  detect  harm.  Such  controls  include  individual 
accountability,  "least  privilege,"  and  separation  of  duties. 

Individual  accountability  consists  of  holding  someone  responsible  for 
his  or  her  actions.  In  a  general  support  system,  accountability  is 
normally  accomplished  by  identifying  and  authenticating  users  of  the 
system  and  subsequently  tracing  actions  on  the  system  to  the  user  who 
initiated  them.  This  may  be  done,  for  example,  by  looking  for  patterns 
of  behavior  by  users. 

Least  privilege  is  the  practice  of  restricting  a  user's  access  (to  data 
files,  to  processing  capability,  or  to  peripherals)  or  type  of  access 
(read,  write,  execute,  delete)  to  the  minimum  necessary  to  perform  his 
or  her  job. 

Separation  of  duties  is  the  practice  of  dividing  the  steps  in  a  critical 
function  among  different  individuals.  For  example,  one  system 
programmer  can  create  a  critical  piece  of  operating  system  code,  while 
another  authorizes  its  implementation.  Such  a  control  keeps  a  single 
individual  from  subverting  a  critical  process. 

Nevertheless,  in  some  instances,  individuals  may  be  given  the  ability  to 
bypass  some  significant  technical  and  operational  controls  in  order  to 
perform  system  administration  and  maintenance  functions  (e.g.,  LAN 
administrators  or  systems  programmers) .  Screening  such  individuals  in 
positions  of  trust  will  supplement  technical,  operational,  and 
management  controls,  particularly  where  the  risk  and  magnitude  of  harm 
is  high. 


d)  Incident  Response  Capability.  Security  incidents,  whether  caused  by 
viruses,  hackers,  or  software  bugs,  are  becoming  more  common.  When 
faced  with  a  security  incident,  an  agency  should  be  able  to  respond  in  a 
manner  that  both  protects  its  own  information  and  helps  to  protect  the 
information  of  others  who  might  be  affected  by  the  incident.  To  address 
this  concern,  agencies  should  establish  formal  incident  response 
mechanisms.  Awareness  and  training  for  individuals  with  access  to  the 
system  should  include  how  to  use  the  system's  incident  response 
capability . 

To  be  fully  effective,  incident  handling  must  also  include  sharing 
information  concerning  common  vulnerabilities  and  threats  with  those  in 
other  systems  and  other  agencies.  The  Appendix  directs  agencies  to 
effectuate  such  sharing,  and  tasks  NIST  to  coordinate  those  agency 
activities  government-wide. 

The  Appendix  also  directs  the  Department  of  Justice  to  provide 
appropriate  guidance  on  pursuing  legal  remedies  in  the  case  of  serious 
incidents . 

e)  Continuity  of  Support.  Inevitably,  there  will  be  service 
interruptions.  Agency  plans  should  assure  that  there  is  an  ability  to 
recover  and  provide  service  sufficient  to  meet  the  minimal  needs  of 
users  of  the  system.  Manual  procedures  are  generally  NOT  a  viable  back¬ 
up  option.  When  automated  support  is  not  available,  many  functions  of 
the  organization  will  effectively  cease.  Therefore,  it  is  important  to 
take  cost-effective  steps  to  manage  any  disruption  of  service. 

Decisions  on  the  level  of  service  needed  at  any  particular  time  and  on 
priorities  in  service  restoration  should  be  made  in  consultation  with 
the  users  of  the  system  and  incorporated  in  the  system  rules. 

Experience  has  shown  that  recovery  plans  that  are  periodically  tested 
are  substantially  more  viable  than  those  that  are  not.  Moreover, 
untested  plans  may  actually  create  a  false  sense  of  security. 

f)  Technical  Security.  Agencies  should  assure  that  each  system 
appropriately  uses  effective  security  products  and  techniques, 
consistent  with  standards  and  guidance  from  NIST.  Often  such  techniques 
will  correspond  with  system  rules  of  behavior,  such  as  in  the  proper  use 
of  password  protection. 

The  Appendix  directs  NIST  to  continue  to  issue  computer  security 
guidance  to  assist  agencies  in  planning  for  and  using  technical  security 
products  and  techniques.  Until  such  guidance  is  issued,  however,  the 
planning  guidance  included  in  OMB  Bulletin  90-08  can  assist  in 
determining  techniques  for  effective  security  in  a  system  and  in 
addressing  technical  controls  in  the  security  plan. 

g)  System  Interconnection.  In  order  for  a  community  to  effectively 
manage  risk,  it  must  control  access  to  and  from  other  systems.  The 
degree  of  such  control  should  be  established  in  the  rules  of  the  system 
and  all  participants  should  be  made  aware  of  any  limitations  on  outside 
access.  Technical  controls  to  accomplish  this  should  be  put  in  place  in 
accordance  with  guidance  issued  by  NIST. 


There  are  varying  degrees  of  how  connected  a  system  is. 


For  example. 


some  systems  will  choose  to  isolate  themselves,  others  will  restrict 
access  such  as  allowing  only  e-mail  connections  or  remote  access  only 
with  sophisticated  authentication,  and  others  will  be  fully  open.  The 
management  decision  to  interconnect  should  be  based  on  the  availability 
and  use  of  technical  and  non-technical  safeguards  and  consistent  with 
the  acceptable  level  of  risk  defined  in  the  system  rules. 

3)  Review  of  Security  Controls.  The  security  of  a  system  will  degrade  over 
time,  as  the  technology  evolves  and  as  people  and  procedures  change. 

Reviews  should  assure  that  management,  operational,  personnel,  and 
technical  controls  are  functioning  effectively.  Security  controls  may  be 
reviewed  by  an  independent  audit  or  a  self  review.  The  type  and  rigor  of 
review  or  audit  should  be  commensurate  with  the  acceptable  level  of  risk 
that  is  established  in  the  rules  for  the  system  and  the  likelihood  of 
learning  useful  information  to  improve  security.  Technical  tools  such  as 
virus  scanners,  vulnerability  assessment  products  (which  look  for  known 
security  problems,  configuration  errors,  and  the  installation  of  the  latest 
patches),  and  penetration  testing  can  assist  in  the  on-going  review  of 
different  facets  of  systems.  However,  these  tools  are  no  substitute  for  a 
formal  management  review  at  least  every  three  years.  Indeed,  for  some 
high-risk  systems  with  rapidly  changing  technology,  three  years  will  be  too 
long . 

Depending  upon  the  risk  and  magnitude  of  harm  that  could  result,  weaknesses 
identified  during  the  review  of  security  controls  should  be  reported  as 
deficiencies  in  accordance  with  OMB  Circular  No.  A-123,  "Management 
Accountability  and  Control"  and  the  Federal  Managers'  Financial  Integrity 
Act.  In  particular,  if  a  basic  management  control  such  as  assignment  of 
responsibility,  a  workable  security  plan,  or  management  authorization  are 
missing,  then  consideration  should  be  given  to  identifying  a  deficiency. 

4)  Authorize  Processing.  The  authorization  of  a  system  to  process 
information,  granted  by  a  management  official,  provides  an  important 
quality  control  (some  agencies  refer  to  this  authorization  as 
accreditation) .  By  authorizing  processing  in  a  system,  a  manager  accepts 
the  risk  associated  with  it.  Authorization  is  not  a  decision  that  should 
be  made  by  the  security  staff. 

Both  the  security  official  and  the  authorizing  management  official  have 
security  responsibilities.  In  general,  the  security  official  is  closer  to 
the  day-to-day  operation  of  the  system  and  will  direct  or  perform  security 
tasks.  The  authorizing  official  will  normally  have  general  responsibility 
for  the  organization  supported  by  the  system. 

Management  authorization  should  be  based  on  an  assessment  of  management, 
operational,  and  technical  controls.  Since  the  security  plan  establishes 
the  security  controls,  it  should  form  the  basis  for  the  authorization, 
supplemented  by  more  specific  studies  as  needed.  In  addition,  the  periodic 
review  of  controls  should  also  contribute  to  future  authorizations.  Some 
agencies  perform  "certification  reviews"  of  their  systems  periodically. 
These  formal  technical  evaluations  lead  to  a  management  accreditation,  or 
"authorization  to  process."  Such  certifications  (such  as  those  using  the 
methodology  in  FIPS  Pub  102  "Guideline  for  Computer  Security  Certification 
and  Accreditation")  can  provide  useful  information  to  assist  management  in 
authorizing  a  system,  particularly  when  combined  with  a  review  of  the  broad 
behavioral  controls  envisioned  in  the  security  plan  required  by  the 
Appendix . 


Re-authorization  should  occur  prior  to  a  significant  change  in  processing, 
but  at  least  every  three  years.  It  should  be  done  more  often  where  there 
is  a  high  risk  and  potential  magnitude  of  harm. 

b.  Controls  in  Major  Applications.  Certain  applications  require  special 
management  attention  due  to  the  risk  and  magnitude  of  harm  that  could  occur. 

For  such  applications,  the  controls  of  the  support  system (s)  in  which  they 
operate  are  likely  to  be  insufficient.  Therefore,  additional  controls 
specific  to  the  application  are  required.  Since  the  function  of  applications 
is  the  direct  manipulation  and  use  of  information,  controls  for  securing 
applications  should  emphasize  protection  of  information  and  the  way  it  is 
manipulated . 

1)  Assign  Responsibility  for  Security.  By  definition,  major  applications 
are  high  risk  and  require  special  management  attention.  Major  applications 
usually  support  a  single  agency  function  and  often  are  supported  by  more 
than  one  general  support  system.  It  is  important,  therefore,  that  an 
individual  be  assigned  responsibility  in  writing  to  assure  that  the 
particular  application  has  adequate  security.  To  be  effective,  this 
individual  should  be  knowledgeable  in  the  information  and  process  supported 
by  the  application  and  in  the  management,  personnel,  operational,  and 
technical  controls  used  to  protect  the  application. 

2)  Application  Security  Plans.  Security  for  each  major  application  should 
be  addressed  by  a  security  plan  specific  to  the  application.  The  plan 
should  include  controls  specific  to  protecting  information  and  should  be 
developed  from  the  application  manager's  perspective.  To  assist  in 
assuring  its  viability,  the  plan  should  be  provided  to  the  manager  of  the 
primary  support  system  which  the  application  uses  for  advice  and  comment. 
This  recognizes  the  critical  dependence  of  the  security  of  major 
applications  on  the  underlying  support  systems  they  use.  Summaries  of 
application  security  plans  should  be  included  in  strategic  information 
resource  management  plans  in  accordance  with  this  Circular. 

a)  Application  Rules.  Rules  of  behavior  should  be  established  which 
delineate  the  responsibilities  and  expected  behavior  of  all  individuals 
with  access  to  the  application.  The  rules  should  state  the  consequences 
of  inconsistent  behavior.  Often  the  rules  will  be  associated  with 
technical  controls  implemented  in  the  application.  Such  rules  should 
include,  for  example,  limitations  on  changing  data,  searching  databases, 
or  divulging  information. 

b)  Specialized  Training.  Training  is  required  for  all  individuals  given 
access  to  the  application,  including  members  of  the  public.  It  should 
vary  depending  on  the  type  of  access  allowed  and  the  risk  that  access 
represents  to  the  security  of  the  application  and  information  in  it. 

This  training  will  be  in  addition  to  that  required  for  access  to  a 
support  system. 

c)  Personnel  Security.  For  most  major  applications,  management  controls 
such  as  individual  accountability  requirements,  separation  of  duties 
enforced  by  access  controls,  or  limitations  on  the  processing  privileges 
of  individuals,  are  generally  more  cost-effective  personnel  security 
controls  than  background  screening.  Such  controls  should  be  implemented 
as  both  technical  controls  and  as  application  rules.  For  example, 
technical  controls  to  ensure  individual  accountability,  such  as  looking 


for  patterns  of  user  behavior,  are  most  effective  if  users  are  aware 
that  there  is  such  a  technical  control.  If  adequate  audit  or  access 
controls  (through  both  technical  and  non-technical  methods)  cannot  be 
established,  then  it  may  be  cost-effective  to  screen  personnel, 
commensurate  with  the  risk  and  magnitude  of  harm  they  could  cause.  The 
change  in  emphasis  on  screening  in  the  Appendix  should  not  affect 
background  screening  deemed  necessary  because  of  other  duties  that  an 
individual  may  perform. 

d)  Contingency  Planning.  Normally  the  Federal  mission  supported  by  a 
major  application  is  critically  dependent  on  the  application.  Manual 
processing  is  generally  NOT  a  viable  back-up  option.  Managers  should 
plan  for  how  they  will  perform  their  mission  and/or  recover  from  the 
loss  of  existing  application  support,  whether  the  loss  is  due  to  the 
inability  of  the  application  to  function  or  a  general  support  system 
failure.  Experience  has  demonstrated  that  testing  a  contingency  plan 
significantly  improves  its  viability.  Indeed,  untested  plans  or  plans 
not  tested  for  a  long  period  of  time  may  create  a  false  sense  of  ability 
to  recover  in  a  timely  manner. 

e)  Technical  Controls.  Technical  security  controls,  for  example  tests 
to  filter  invalid  entries,  should  be  built  into  each  application.  Often 
these  controls  will  correspond  with  the  rules  of  behavior  for  the 
application.  Under  the  previous  Appendix,  application  security  was 
focused  on  the  process  by  which  sensitive,  custom  applications  were 
developed.  While  that  process  is  not  addressed  in  detail  in  this 
Appendix,  it  remains  an  effective  method  for  assuring  that  security 
controls  are  built  into  applications.  Additionally,  the  technical 
security  controls  defined  in  OMB  Bulletin  No.  90-08  will  continue,  until 
that  guidance  is  replaced  by  NIST's  security  planning  guidance. 

f)  Information  Sharing.  Assure  that  information  which  is  shared  with 
Federal  organizations.  State  and  local  governments,  and  the  private 
sector  is  appropriately  protected  comparable  to  the  protection  provided 
when  the  information  is  within  the  application.  Controls  on  the 
information  may  stay  the  same  or  vary  when  the  information  is  shared 
with  another  entity.  For  example,  the  primary  user  of  the  information 
may  require  a  high  level  of  availability  while  the  secondary  user  does 
not,  and  can  therefore  relax  some  of  the  controls  designed  to  maintain 
the  availability  of  the  information.  At  the  same  time,  however,  the 
information  shared  may  require  a  level  of  confidentiality  that  should  be 
extended  to  the  secondary  user.  This  normally  requires  notification  and 
agreement  to  protect  the  information  prior  to  its  being  shared. 

g)  Public  Access  Controls.  Permitting  public  access  to  a  Federal 
application  is  an  important  method  of  improving  information  exchange 
with  the  public.  At  the  same  time,  it  introduces  risks  to  the  Federal 
application.  To  mitigate  these  risks,  additional  controls  should  be  in 
place  as  appropriate.  These  controls  are  in  addition  to  controls  such 
as  "firewalls"  that  are  put  in  place  for  security  of  the  general  support 
system. 

In  general,  it  is  more  difficult  to  apply  conventional  controls  to 
public  access  systems,  because  many  of  the  users  of  the  system  may  not 
be  subject  to  individual  accountability  policies.  In  addition,  public 
access  systems  may  be  a  target  for  mischief  because  of  their  higher 
visibility  and  published  access  methods. 


Official  records  need  to  be  protected  against  loss  or  alteration. 
Official  records  in  electronic  form  are  particularly  susceptible  since 
they  can  be  relatively  easy  to  change  or  destroy.  Therefore,  official 
records  should  be  segregated  from  information  made  directly  accessible 
to  the  public.  There  are  different  ways  to  segregate  records.  Some 
agencies  and  organizations  are  creating  dedicated  information 
dissemination  systems  (such  as  bulletin  boards  or  World  Wide  Web 
servers)  to  support  this  function.  These  systems  can  be  on  the  outside 
of  secure  gateways  which  protect  internal  agency  records  from  outside 
access . 

In  order  to  secure  applications  that  allow  direct  public  access, 
conventional  techniques  such  as  least  privilege  (limiting  the  processin 
capability  as  well  as  access  to  data)  and  integrity  assurances  (such  as 
checking  for  viruses,  clearly  labeling  the  age  of  data,  or  periodically 
spot  checking  data)  should  also  be  used.  Additional  guidance  on 
securing  public  access  systems  is  available  from  NIST  Computer  Systems 
Laboratory  Bulletin  "Security  Issues  in  Public  Access  Systems"  (May, 
1993)  . 

3)  Review  of  Application  Controls.  At  least  every  three  years,  an 
independent  review  or  audit  of  the  security  controls  for  each  major 
application  should  be  performed.  Because  of  the  higher  risk  involved  in 
major  applications,  the  review  or  audit  should  be  independent  of  the 
manager  responsible  for  the  application.  Such  reviews  should  verify  that 
responsibility  for  the  security  of  the  application  has  been  assigned,  that 
a  viable  security  plan  for  the  application  is  in  place,  and  that  a  manager 
has  authorized  the  processing  of  the  application.  A  deficiency  in  any  of 
these  controls  should  be  considered  a  deficiency  pursuant  to  the  Federal 
Manager's  Financial  Integrity  Act  and  OMB  Circular  No.  A-123,  "Management 
Accountability  and  Control." 

The  review  envisioned  here  is  different  from  the  system  test  and 
certification  process  required  in  the  current  Appendix.  That  process, 
however,  remains  useful  for  assuring  that  technical  security  features  are 
built  into  custom-developed  software  applications.  While  the  controls  in 
that  process  are  not  specifically  called  for  in  this  Appendix,  they  remain 
in  Bulletin  No.  90-08,  and  are  recommended  in  appropriate  circumstances  as 
technical  controls. 

4)  Authorize  Processing.  A  major  application  should  be  authorized  by  the 
management  official  responsible  for  the  function  supported  by  the 
application  at  least  every  three  years,  but  more  often  where  the  risk  and 
magnitude  of  harm  is  high.  The  intent  of  this  requirement  is  to  assure 
that  the  senior  official  whose  mission  will  be  adversely  affected  by 
security  weaknesses  in  the  application  periodically  assesses  and  accepts 
the  risk  of  operating  the  application.  The  authorization  should  be  based 
on  the  application  security  plan  and  any  review (s)  performed  on  the 
application.  It  should  also  take  into  account  the  risks  from  the  general 
support  systems  used  by  the  application. 

4.  Assignment  of  Responsibilities.  The  Appendix  assigns  government-wide 
responsibilities  to  agencies  that  are  consistent  with  their  missions  and  the 
Computer  Security  Act. 


a.  Department  of  Commerce. 


The  Department  of  Commerce,  through  NIST,  is 


assigned  the  following  responsibilities  consistent  with  the  Computer 
Security  Act. 


1)  Develop  and  issue  security  standards  and  guidance. 

2)  Review  and  update,  with  assistance  from  OPM,  the  guidelines  for 
security  training  issued  in  1988  pursuant  to  the  Computer  Security  Act 
to  assure  they  are  effective. 

3)  Replace  and  update  the  technical  planning  guidance  in  the  appendix  to 
0MB  Bulletin  90-08  This  should  include  guidance  on  effective  risk-based 
security  absent  a  formal  risk  analysis. 

4)  Provide  agencies  with  guidance  and  assistance  concerning  effective 
controls  for  systems  when  interconnecting  with  other  systems,  including 
the  Internet.  Such  guidance  on,  for  example,  so-called  "firewalls"  is 
becoming  widely  available  and  is  critical  to  agencies  as  they  consider 
how  to  interconnect  their  communications  capabilities. 

5)  Coordinate  agency  incident  response  activities.  Coordination  of 
agency  incident  response  activities  should  address  both  threats  and 
vulnerabilities  as  well  as  improve  the  ability  of  the  Federal  government 
for  rapid  and  effective  cooperation  in  response  to  serious  security 
breaches . 

6)  Assess  security  vulnerabilities  in  new  information  technologies  and 
apprise  Federal  agencies  of  such  vulnerabilities.  The  intent  of  this 
new  requirement  is  to  help  agencies  understand  the  security  implications 
of  technology  before  they  purchase  and  field  it.  In  the  past,  there 
have  been  too  many  instances  where  agencies  have  acquired  and 
implemented  technology,  then  found  out  about  vulnerabilities  in  the 
technology  and  had  to  retrofit  security  measures.  This  activity  is 
intended  to  help  avoid  such  difficulties  in  the  future. 

b.  Department  of  Defense.  The  Department,  through  the  National  Security 
Agency,  should  provide  technical  advice  and  assistance  to  NIST,  including 
work  products  such  as  technical  security  guidelines,  which  NIST  can  draw 
upon  for  developing  standards  and  guidelines  for  protecting  sensitive 
information  in  Federal  computers. 

Also,  the  Department,  through  the  National  Security  Agency,  should  assist 
NIST  in  evaluating  vulnerabilities  in  emerging  technologies.  Such 
vulnerabilities  may  present  a  risk  to  national  security  information  as  well 
as  to  unclassified  information. 

c.  Department  of  Justice.  The  Department  of  Justice  should  provide 
appropriate  guidance  to  Federal  agencies  on  legal  remedies  available  to 
them  when  serious  security  incidents  occur.  Such  guidance  should  include 
ways  to  report  incidents  and  cooperate  with  law  enforcement. 

In  addition,  the  Department  should  pursue  appropriate  legal  actions  on 
behalf  of  the  Federal  government  when  serious  security  incidents  occur. 

d.  General  Services  Administration.  The  General  Services  Administration 
should  provide  agencies  guidance  for  addressing  security  considerations 
when  acquiring  information  technology  products  or  services.  This  continues 
the  current  requirement. 


In  addition,  where  cost-effective  to  do  so,  GSA  should  establish 
government-wide  contract  vehicles  for  agencies  to  use  to  acquire  certain 
security  services.  Such  vehicles  already  exist  for  providing  system  back¬ 
up  support  and  conducting  security  analyses. 

GSA  should  also  provide  appropriate  security  services  to  assist  Federal 
agencies  to  the  extent  that  provision  of  such  services  is  cost-effective. 
This  includes  providing,  in  conjunction  with  the  Department  of  Defense  and 
the  Department  of  Commerce,  appropriate  services  which  support  Federal  use 
of  the  National  Information  Infrastructure  (e.g.,  use  of  digital  signature 
technology) . 

e.  Office  of  Personnel  Management.  In  accordance  with  the  Computer 
Security  Act,  OPM  should  review  its  regulations  concerning  computer 
security  training  and  assure  that  they  are  effective. 

In  addition,  OPM  should  assist  the  Department  of  Commerce  in  the  review  and 
update  of  its  computer  security  awareness  and  training  guidelines.  OPM 
worked  closely  with  NIST  in  developing  the  current  guidelines  and  should 
work  with  NIST  in  revising  those  guidelines. 

f.  Security  Policy  Board.  The  Security  Policy  Board  is  assigned 
responsibility  for  national  security  policy  coordination  in  accordance  with 
the  appropriate  Presidential  directive.  This  includes  policy  for  the 
security  of  information  technology  used  to  process  classified  information. 

Circular  A-130  and  this  Appendix  do  not  apply  to  information  technology 
that  supports  certain  critical  national  security  missions,  as  defined  in  44 
U.S.C.  3502(9)  and  10  U.S.C.  2315.  Policy  and  procedural  requirements  for 
the  security  of  national  security  systems  (telecommunications  and 
information  systems  that  contain  classified  information  or  that  support 
those  critical  national  security  missions  (44  U.S.C.  3502(9)  and  10  U.S.C. 
2315))  is  assigned  to  the  Department  of  Defense  pursuant  to  Presidential 
directive.  The  Circular  clarifies  that  information  classified  for  national 
security  purposes  should  also  be  handled  in  accordance  with  appropriate 
national  security  directives.  Where  classified  information  is  required  to 
be  protected  by  more  stringent  security  requirements,  those  requirements 
should  be  followed  rather  than  the  requirements  of  this  Appendix. 

5.  Reports.  The  Appendix  requires  agencies  to  provide  two  reports  to  OMB: 

The  first  is  a  requirement  that  agencies  report  security  deficiencies  and 
material  weaknesses  within  their  FMFIA  reporting  mechanisms  as  defined  by  OMB 
Circular  No.  A-123,  "Management  Accountability  and  Control,"  and  take 
corrective  actions  in  accordance  with  that  directive. 

The  second,  defined  by  the  Computer  Security  Act,  requires  that  a  summary  of 
agency  security  plans  be  included  in  the  information  resources  management  plan 
required  by  the  Paperwork  Reduction  Act. 


Appendix  IV  to  OMB  Circular  No.  A-130  -  Analysis  of  Key  Sections 


1 .  Purpose 

The  purpose  of  this  Appendix  is  to  provide  a  general  context  and  explanation 
for  the  contents  of  the  key  Sections  of  the  Circular. 

2 .  Background 

The  Paperwork  Reduction  Act  (PRA)  of  1980,  Public  Law  96-511,  as  amended  by 
the  Paperwork  Reduction  Act  of  1995,  Public  Law  104-13,  codified  at  Chapter  35 
of  Title  44  of  the  United  States  Code,  establishes  a  broad  mandate  for 
agencies  to  perform  their  information  activities  in  an  efficient,  effective, 
and  economical  manner.  Section  3504  of  the  Act  provides  authority  to  the 
Director,  OMB,  to  develop  and  implement  uniform  and  consistent  information 
resources  management  policies;  oversee  the  development  and  promote  the  use  of 
information  management  principles,  standards,  and  guidelines;  evaluate  agency 
information  management  practices  in  order  to  determine  their  adequacy  and 
efficiency,  and  determine  compliance  of  such  practices  with  the  policies, 
principles,  standards,  and  guidelines  promulgated  by  the  Director. 

The  Circular  implements  OMB  authority  under  the  PRA  with  respect  to  Section 
3504 (b) ,  general  information  resources  management  policy.  Section  3504 (d) , 
information  dissemination.  Section  3504(f),  records  management.  Section 
3504(g),  privacy  and  security,  and  Section  3504(h),  information  technology. 

The  Circular  also  implements  certain  provisions  of  the  Privacy  Act  of  1974  (5 

U.S.C.  552a);  the  Chief  Financial  Officers  Act  (31  U.S.C.  3512  et  seq.); 
Sections  111  and  206  of  the  Federal  Property  and  Administrative  Services  Act 
of  1949,  as  amended  (40  U.S.C.  759  and  487,  respectively);  the  Computer 
Security  Act  (40  U.S.C.  759  note);  the  Budget  and  Accounting  Act  of  1921  (31 

U.S.C.  1  et  seq.);  and  Executive  Order  No.  12046  of  March  27,  1978,  and 
Executive  Order  No.  12472  of  April  3,  1984,  Assignment  of  National  Security 
and  Emergency  Telecommunications  Functions.  The  Circular  complements  5  CFR 
Part  1320,  Controlling  Paperwork  Burden  on  the  Public,  which  implements  other 
Sections  of  the  PRA  dealing  with  controlling  the  reporting  and  recordkeeping 
burden  placed  on  the  public. 

In  addition,  the  Circular  revises  and  consolidates  policy  and  procedures  in 
seven  previous  OMB  directives  and  rescinds  those  directives,  as  follows: 

A-3  -  Government  Publications 

A-71  -  Responsibilities  for  the  Administration  and  Management  of  Automatic 

Data  Processing  Activities  Transmittal  Memorandum  No.  1  to  Circular  No.  A-71  - 
Security  of  Federal  Automated  Information  Systems 

A-90  -  Cooperating  with  State  and  Local  Governments  to  Coordinate  and  Improve 

Information  Systems 

A-108  -  Responsibilities  for  the  Maintenance  of  Records  about  Individuals  by 
Federal  Agencies 

A-114  -  Management  of  Federal  Audiovisual  Activities 

A-121  -  Cost  Accounting,  Cost  Recovery,  and  Interagency  Sharing  of  Data 
Processing  Facilities 


3.  Analysis 


Section  6,  Definitions.  Access  and  Dissemination.  The  original  Circular  No. 
A-130  distinguished  between  the  terms  "access  to  information"  and 
"dissemination  of  information"  in  order  to  separate  statutory  requirements 
from  policy  considerations.  The  first  term  means  giving  members  of  the 
public,  at  their  request,  information  to  which  they  are  entitled  by  a  law  such 
as  the  FOIA.  The  latter  means  actively  distributing  information  to  the  public 
at  the  initiative  of  the  agency.  The  distinction  appeared  useful  at  the  time 
Circular  No.  A-130  was  written,  because  it  allowed  OMB  to  focus  discussion  on 
Federal  agencies'  responsibilities  for  actively  distributing  information. 
However,  popular  usage  and  evolving  technology  have  blurred  differences 
between  the  terms  "access"  and  "dissemination"  and  readers  of  the  Circular 
were  confused  by  the  distinction.  For  example,  if  an  agency  "disseminates" 
information  via  an  on-line  computer  system,  one  speaks  of  permitting  users  to 
"access"  the  information,  and  on-line  "access"  becomes  a  form  of 
"dissemination . " 

Thus,  the  revision  defines  only  the  term  "dissemination."  Special 
considerations  based  on  access  statutes  such  as  the  Privacy  Act  and  the  FOIA 
are  explained  in  context. 

Government  Information.  The  definition  of  "government  information"  includes 
information  created,  collected,  processed,  disseminated,  or  disposed  of  both 
by  and  for  the  Federal  Government.  This  recognizes  the  increasingly 
distributed  nature  of  information  in  electronic  environments.  Many  agencies, 
in  addition  to  collecting  information  for  government  use  and  for  dissemination 
to  the  public,  require  members  of  the  public  to  maintain  information  or  to 
disclose  it  to  the  public.  Sound  information  resources  management  dictates 
that  agencies  consider  the  costs  and  benefits  of  a  full  range  of  alternatives 
to  meet  government  objectives.  In  some  cases,  there  is  no  need  for  the 
government  actually  to  collect  the  information  itself,  only  to  assure  that  it 
is  made  publicly  available.  For  example,  banks  insured  by  the  FDIC  must 
provide  statements  of  financial  condition  to  bank  customers  on  request. 
Particularly  when  information  is  available  in  electronic  form,  networks  make 
the  physical  location  of  information  increasingly  irrelevant. 

The  inclusion  of  information  created,  collected,  processed,  disseminated,  or 
disposed  of  for  the  Federal  Government  in  the  definition  of  "government 
information"  does  not  imply  that  responsibility  for  implementing  the 
provisions  of  the  Circular  itself  extends  beyond  the  executive  agencies  to 
other  entities.  Such  an  interpretation  would  be  inconsistent  with  Section  4, 
Applicability,  and  with  existing  law.  For  example,  the  courts  have  held  that 
requests  to  Federal  agencies  for  release  of  information  under  the  FOIA  do  not 
always  extend  to  those  performing  information  activities  under  grant  or 
contract  to  a  Federal  agency.  Similarly,  grantees  may  copyright  information 
where  the  government  may  not.  Thus  the  information  responsibilities  of 
grantees  and  contractors  are  not  identical  to  those  of  Federal  agencies  except 
to  the  extent  that  the  agencies  make  them  so  in  the  underlying  grants  or 
contracts.  Similarly,  agency  information  resources  management 
responsibilities  do  not  extend  to  other  entities. 

Information  Dissemination  Product.  This  notice  defines  the  term  "information 
dissemination  product"  to  include  all  information  that  is  disseminated  by 
Federal  agencies.  While  the  provision  of  access  to  on-line  databases  and 
search  software  included  on  compact  disk,  read-only  memory  (CD-ROM)  are  often 
called  information  services  rather  than  products,  there  is  no  clear 


distinction  and,  moreover,  no  real  difference  for  policy  purposes  between  the 
two.  Thus,  the  term  "information  dissemination  product"  applies  to  both 
products  and  services,  and  makes  no  distinction  based  on  how  the  information 
is  delivered. 

Section  8a  (1)  .  Information  Management  Planning.  Parallel  to  new  Section  7, 
Basic  Considerations  and  Assumptions,  Section  8a  begins  with  information 
resources  management  planning.  Planning  is  the  process  of  establishing  a 
course  of  action  to  achieve  desired  results  with  available  resources. 

Planners  translate  organizational  missions  into  specific  goals  and,  in  turn, 
into  measurable  objectives. 

The  PRA  introduced  the  concept  of  information  resources  management  and  the 
principle  of  information  as  an  institutional  resource  which  has  both  value  and 
associated  costs.  Information  resources  management  is  a  tool  that  managers 
use  to  achieve  agency  objectives.  Information  resources  management  is 
successful  if  it  enables  managers  to  achieve  agency  objectives  efficiently  and 
effectively . 

Information  resources  management  planning  is  an  integral  part  of  overall 
mission  planning.  Agencies  need  to  plan  from  the  outset  for  the  steps  in  the 
information  life  cycle.  When  creating  or  collecting  information,  agencies 
must  plan  how  they  will  process  and  transmit  the  information,  how  they  will 
use  it,  how  they  will  protect  its  integrity,  what  provisions  they  will  make 
for  access  to  it,  whether  and  how  they  will  disseminate  it,  how  they  will 
store  and  retrieve  it,  and  finally,  how  the  information  will  ultimately  be 
disposed  of.  They  must  also  plan  for  the  effects  their  actions  and  programs 
will  have  on  the  public  and  State  and  local  governments. 

The  Role  of  State  and  Local  Governments.  OMB  made  additions  at  Sections  7a, 
7e,  and  7j,  Basic  Considerations  and  Assumptions,  concerning  State  and  local 
governments,  and  also  in  policy  statements  at  Sections  8a (1)  (c)  ,  (3)  (f)  , 

(5)  (d)  ( iii ) ,  and  (8)  (e)  . 

State  and  local  governments,  and  tribal  governments,  cooperate  as  major 
partners  with  the  Federal  Government  in  the  collection,  processing,  and 
dissemination  of  information.  For  example.  State  governments  are  the 
principal  collectors  and/or  producers  of  information  in  the  areas  of  health, 
welfare,  education,  labor  markets,  transportation,  the  environment,  and 
criminal  justice.  The  States  supply  the  Federal  Government  with  data  on  aid 
to  families  with  dependent  children;  medicare;  school  enrollments,  staffing, 
and  financing;  statistics  on  births,  deaths,  and  infectious  diseases; 
population  related  data  that  form  the  basis  for  national  estimates;  employment 
and  labor  market  data;  and  data  used  for  census  geography.  National 
information  resources  are  greatly  enhanced  through  these  major  cooperating 
efforts . 

Federal  agencies  need  to  be  sensitive  to  the  role  of  State  and  local 
governments,  and  tribal  governments,  in  managing  information  and  in  managing 
information  technology.  When  planning,  designing,  and  carrying  out 
information  collections,  agencies  should  systematically  consider  what  effect 
their  activities  will  have  on  cities,  counties,  and  States,  and  take  steps  to 
involve  these  governments  as  appropriate.  Agencies  should  ensure  that  their 
information  collections  impose  the  minimum  burden  and  do  not  duplicate  or 
conflict  with  local  efforts  or  other  Federal  agency  requirements  or  mandates. 
The  goal  is  that  Federal  agencies  routinely  integrate  State  and  local 
government  concerns  into  Federal  information  resources  management  practices. 


This  goal  is  consistent  with  standards  for  State  and  local  government  review 
of  Federal  policies  and  programs. 

Training.  Training  is  particularly  important  in  view  of  the  changing  nature 
of  information  resources  management.  Decentralization  of  information 
technology  has  placed  the  management  of  automated  information  and  information 
technology  directly  in  the  hands  of  nearly  all  agency  personnel  rather  than  in 
the  hands  of  a  few  employees  at  centralized  facilities.  Agencies  must  plan 
for  incorporating  policies  and  procedures  regarding  computer  security,  records 
management,  protection  of  privacy,  and  other  safeguards  into  the  training  of 
every  employee  and  contractor. 

Section  8a  (2)  .  Information  Collection.  The  PRA  requires  that  the  creation  or 
collection  of  information  be  carried  out  in  an  efficient,  effective,  and 
economical  manner.  When  Federal  agencies  create  or  collect  information  — 
just  as  when  they  perform  any  other  program  functions  —  they  consume  scarce 
resources.  Such  activities  must  be  continually  evaluated  for  their  relevance 
to  agency  missions. 

Agencies  must  justify  the  creation  or  collection  of  information  based  on  their 
statutory  functions.  Policy  statement  8a  (2)  uses  the  justification  standard 
—  "necessary  for  the  proper  performance  of  the  functions  of  the  agency"  — 
established  by  the  PRA  (44  U.S.C.  3508)  .  Furthermore,  the  policy  statement 
includes  the  requirement  that  the  information  have  practical  utility,  as 
defined  in  the  PRA  (44  U.S.C.  3502(11))  and  elaborated  in  5  CFR  Part  1320. 
Practical  utility  includes  such  qualities  of  information  as  accuracy, 
adequacy,  and  reliability.  In  the  case  of  general  purpose  statistics  or 
recordkeeping,  practical  utility  means  that  actual  uses  can  be  demonstrated  (5 
CFR  1320.3(1))  .  It  should  be  noted  that  OMB ' s  intent  in  placing  emphasis  on 
reducing  unjustified  burden  in  collecting  information,  an  emphasis  consistent 
with  the  Act,  is  not  to  diminish  the  importance  of  collecting  information 
whenever  agencies  have  legitimate  program  reasons  for  doing  so.  Rather,  the 
concern  is  that  the  burdens  imposed  should  not  exceed  the  benefits  to  be 
derived  from  the  information.  Moreover,  if  the  same  benefit  can  be  obtained 
by  alternative  means  that  impose  a  lesser  burden,  that  alternative  should  be 
adopted . 

Section  8a  (3)  .  Electronic  Information  Collection.  Section  71  articulates  a 
basic  assumption  of  the  Circular  that  modern  information  technology  can  help 
the  government  provide  better  service  to  the  public  through  improved 
management  of  government  programs.  One  potentially  useful  application  of 
information  technology  is  in  the  government's  collection  of  information.  While 
some  information  collections  may  not  be  good  candidates  for  electronic 
techniques,  many  are.  Agencies  with  major  electronic  information  collection 
programs  have  found  that  automated  information  collections  allow  them  to  meet 
program  objectives  more  efficiently  and  effectively.  Electronic  data 
interchange  (EDI)  and  related  standards  for  the  electronic  exchange  of 
information  will  ease  transmission  and  processing  of  routine  business 
transaction  information  such  as  invoices,  purchase  orders,  price  information, 
bills  of  lading,  health  insurance  claims,  and  other  common  commercial 
documents.  EDI  holds  similar  promise  for  the  routine  filing  of  regulatory 
information  such  as  tariffs,  customs  declarations,  license  applications,  tax 
information,  and  environmental  reports. 

Benefits  to  the  public  and  agencies  from  electronic  information  collection 
appear  substantial.  Electronic  methods  of  collection  reduce  paperwork  burden, 
reduce  errors,  facilitate  validation,  and  provide  increased  convenience  and 


more  timely  receipt  of  benefits. 


The  policy  in  Section  8a  (3)  encourages  agencies  to  explore  the  use  of 
automated  techniques  for  collection  of  information,  and  sets  forth  conditions 
conducive  to  the  use  of  those  techniques. 

Section  8a  (4)  .  Records  Management.  Section  8a  (4)  begins  with  the  fundamental 
requirement  for  Federal  records  management,  namely,  that  agencies  create  and 
keep  adequate  and  proper  documentation  of  their  activities.  Federal  agencies 
cannot  carry  out  their  missions  in  a  responsible  and  responsive  manner  without 
adequate  recordkeeping.  Section  7h  articulates  the  basic  considerations 
concerning  records  management.  Policy  statements  concerning  records 
management  are  also  interwoven  throughout  Section  8a,  particularly  in 
subsections  on  planning  (8a  (1)  (j)),  information  dissemination  (8a(6)),  and 
safeguards  (8a (9)). 

Records  support  the  immediate  needs  of  government  —  administrative,  legal, 
fiscal  —  and  ensure  its  continuity.  Records  are  essential  for  protecting  the 
rights  and  interests  of  the  public,  and  for  monitoring  the  work  of  public 
servants.  The  government  needs  records  to  ensure  accountability  to  the  public 
which  includes  making  the  information  available  to  the  public. 

Each  stage  of  the  information  life  cycle  carries  with  it  records  management 
responsibilities.  Agencies  need  to  record  their  plans,  carefully  document  the 
content  and  procedures  of  information  collection,  ensure  proper  documentation 
as  a  feature  of  every  information  system,  keep  records  of  dissemination 
programs,  and,  finally,  ensure  that  records  of  permanent  value  are  preserved. 

Preserving  records  for  future  generations  is  the  archival  mission.  Advances 
in  technology  affect  the  amount  of  information  that  can  be  created  and  saved, 
and  the  ways  this  information  can  be  made  available.  Technological  advances 
can  ease  the  task  of  records  management;  however,  the  rapid  pace  of  change  in 
modern  technology  makes  decisions  about  the  appropriate  application  of 
technology  critical  to  records  management.  Increasingly  the  records  manager 
must  be  concerned  with  preserving  valuable  electronic  records  in  the  context 
of  a  constantly  changing  technological  environment. 

Records  schedules  are  essential  for  the  appropriate  maintenance  and 
disposition  of  records.  Records  schedules  must  be  prepared  in  a  timely 
fashion,  implement  the  General  Records  Schedules  issued  by  the  National 
Archives  and  Records  Administration,  be  approved  by  the  Archivist  of  the 
United  States,  and  be  kept  accurate  and  current.  (See  44  U.S.C.  3301  et  seq.) 
The  National  Archives  and  Records  Administration  and  the  General  Services 
Administration  provide  guidance  and  assistance  to  agencies  in  implementing 
records  management  responsibilities.  They  also  evaluate  agencies'  records 
management  programs  to  determine  the  extent  to  which  they  are  appropriately 
implementing  their  records  management  responsibilities. 

Sections  8a  (5)  and  8a  (6)  .  Information  Dissemination  Policy.  Section  8a  (5)  . 
Every  agency  has  a  responsibility  to  inform  the  public  within  the  context  of 
its  mission.  This  responsibility  requires  that  agencies  distribute 
information  at  the  agency's  initiative,  rather  than  merely  responding  when  the 
public  requests  information. 

The  FOIA  requires  each  agency  to  publish  in  the  Federal  Register  current 
descriptions  of  agency  organization,  where  and  how  the  public  may  obtain 
information,  the  general  methods  and  procedural  requirements  by  which  agency 


functions  are  determined,  rules  of  procedure,  descriptions  of  forms  and  how  to 
obtain  them,  substantive  regulations,  statements  of  general  policy,  and 
revisions  to  all  the  foregoing  (5  U.S.C.  552(a)  (1)).  The  Privacy  Act  also 
requires  publication  of  information  concerning  "systems  of  records"  which  are 
records  retrieved  by  individual  identifier  such  as  name.  Social  Security 
Number,  or  fingerprint.  The  Government  in  the  Sunshine  Act  requires  agencies 
to  publish  meeting  announcements  (5  U.S.C.  552b  (e)  (1)).  The  PRA  (44  U.S.C. 
3507(a) (2))  and  its  implementing  regulations  (5  CFR  Part  1320)  require 
agencies  to  publish  notices  when  they  submit  information  collection  requests 
for  OMB  approval.  The  public's  right  of  access  to  government  information 
under  these  statutes  is  balanced  against  other  concerns,  such  as  an 
individual's  right  to  privacy  and  protection  of  the  government's  deliberative 
process . 

As  agencies  satisfy  these  requirements,  they  provide  the  public  basic 
information  about  government  activities.  Other  statutes  direct  specific 
agencies  to  issue  specific  information  dissemination  products  or  to  conduct 
information  dissemination  programs.  Beyond  generic  and  specific  statutory 
requirements,  agencies  have  responsibilities  to  disseminate  information  as  a 
necessary  part  of  performing  their  functions.  For  some  agencies  the 
responsibility  is  made  explicit  and  sweeping;  for  example,  the  Agriculture 
Department  is  directed  to  "...diffuse  among  people  of  the  United  States, 
useful  information  on  subjects  connected  with  agriculture...."  (7  U.S.C. 

2201)  For  other  agencies,  the  responsibility  may  be  much  more  narrowly  drawn. 

Information  dissemination  is  also  a  consequence  of  other  agency  activities. 
Agency  programs  normally  include  an  organized  effort  to  inform  the  public 
about  the  program.  Most  agencies  carry  out  programs  that  create  or  collect 
information  with  the  explicit  or  implicit  intent  that  the  information  will  be 
made  public.  Disseminating  information  is  in  many  cases  the  logical  extension 
of  information  creation  or  collection. 

In  other  cases,  agencies  may  have  information  that  is  not  meant  for  public 
dissemination  but  which  may  be  the  subject  of  requests  from  the  public.  When 
the  agency  establishes  that  there  is  public  demand  for  the  information  and 
that  it  is  in  the  public  interest  to  disseminate  the  information,  the  agency 
may  decide  to  disseminate  it  automatically. 

The  policy  in  Section  8a  (5)  (d)  sets  forth  several  factors  for  agencies  to  take 
into  account  in  conducting  their  information  dissemination  programs.  First, 
agencies  must  balance  two  goals:  maximizing  the  usefulness  of  the  information 
to  the  government  and  the  public,  and  minimizing  the  cost  to  both.  Deriving 
from  the  basic  purposes  of  the  PRA  (44  U.S.C.  3501),  the  two  goals  are 
frequently  in  tension  because  increasing  usefulness  usually  costs  more. 

Second,  Section  8a  (5)  (d)  (ii)  requires  agencies  to  conduct  information 
dissemination  programs  equitably  and  in  a  timely  manner.  The  word  "equal"  was 
removed  from  this  Section  since  there  may  be  instances  where,  for  example,  an 
agency  determines  that  its  mission  includes  disseminating  information  to 
certain  specific  groups  or  members  of  the  public,  and  the  agency  determines 
that  user  charges  will  constitute  a  significant  barrier  to  carrying  out  this 
responsibility . 

Section  8a  (5)  (d)  (iii) ,  requiring  agencies  to  take  advantage  of  all 
dissemination  channels,  recognizes  that  information  reaches  the  public  in  many 
ways.  Few  persons  may  read  a  Federal  Register  notice  describing  an  agency 
action,  but  those  few  may  be  major  secondary  disseminators  of  the  information. 
They  may  be  affiliated  with  publishers  of  newspapers,  newsletters. 


periodicals,  or  books;  affiliated  with  on-line  database  providers;  or 
specialists  in  certain  information  fields.  While  millions  of  information 
users  in  the  public  may  be  affected  by  the  agency's  action,  only  a  handful  may 
have  direct  contact  with  the  agency's  own  information  dissemination  products. 
As  a  deliberate  strategy,  therefore,  agencies  should  cooperate  with  the 
information's  original  creators,  as  well  as  with  secondary  disseminators,  in 
order  to  further  information  dissemination  goals  and  foster  a  diversity  of 
information  sources.  An  adjunct  responsibility  to  this  strategy  is  reflected 
in  Section  8a  (5)  (d)  (iv),  which  directs  agencies  to  assist  the  public  in 
finding  government  information.  Agencies  may  accomplish  this,  for  example,  by 
specifying  and  disseminating  "locator"  information,  including  information 
about  content,  format,  uses  and  limitations,  location,  and  means  of  access. 

Section  8a  (6)  .  Information  Dissemination  Management  System.  This  Section 
requires  agencies  to  maintain  an  information  dissemination  management  system 
which  can  ensure  the  routine  performance  of  certain  functions,  including  the 
essential  functions  previously  required  by  Circular  No.  A-3.  Smaller  agencies 
need  not  establish  elaborate  formal  systems,  so  long  as  the  heads  of  the 
agencies  can  ensure  that  the  functions  are  being  performed. 

Subsection  (6) (a)  carries  over  a  requirement  from  OMB  Circular  No.  A-3  that 
agencies'  information  dissemination  products  are  to  be,  in  the  words  of  44 
U.S.C.  1108,  "necessary  in  the  transaction  of  the  public  business  required  by 
law  of  the  agency."  (Circular  No.  A-130  uses  the  expression  "necessary  for 
the  proper  performance  of  agency  functions,"  which  OMB  considers  to  be 
equivalent  to  the  expression  in  44  U.S.C.  1108.)  The  point  is  that  agencies 
should  determine  systematically  the  need  for  each  information  dissemination 
product . 

Section  8a  (6)  (b)  recognizes  that  to  carry  out  effective  information 
dissemination  programs,  agencies  need  knowledge  of  the  marketplace  in  which 
their  information  dissemination  products  are  placed.  They  need  to  know  what 
other  information  dissemination  products  users  have  available  in  order  to 
design  the  best  agency  product.  As  agencies  are  constrained  by  finite 
budgets,  when  there  are  several  alternatives  from  which  to  choose,  they  should 
not  expend  public  resources  filling  needs  which  have  already  been  met  by 
others  in  the  public  or  private  sector.  Agencies  have  a  responsibility  not  to 
undermine  the  existing  diversity  of  information  sources. 

At  the  same  time,  an  agency's  responsibility  to  inform  the  public  may  be 
independent  of  the  availability  or  potential  availability  of  a  similar 
information  dissemination  product.  That  is,  even  when  another  governmental  or 
private  entity  has  offered  an  information  dissemination  product  identical  or 
similar  to  what  the  agency  would  produce,  the  agency  may  conclude  that  it 
nonetheless  has  a  responsibility  to  disseminate  its  own  product.  Agencies 
should  minimize  such  instances  of  duplication  but  could  reach  such  a 
conclusion  because  legal  considerations  require  an  official  government 
information  dissemination  product. 

Section  8a  (6)  (c)  makes  the  Circular  consistent  with  current  practice  (See  OMB 
Bulletins  88-15,  89-15,  90-09,  and  91-16),  by  requiring  agencies  to  establish 
and  maintain  inventories  of  information  dissemination  products.  (These 
bulletins  eliminated  annual  reporting  to  OMB  of  title-by-title  listings  of 
publications  and  the  requirement  for  agencies  to  obtain  OMB  approval  for  each 
new  periodical.  Publications  are  now  reviewed  as  necessary  during  the  normal 
budget  review  process.)  Inventories  help  other  agencies  and  the  public 
identify  information  which  is  available.  This  serves  both  to  increase  the 


efficiency  of  the  dissemination  function  and  to  avoid  unnecessary  burdens  of 
duplicative  information  collections.  A  corollary,  enunciated  in  Section 
8a (6) (d) ,  is  that  agencies  can  better  serve  public  information  needs  by 
developing  finding  aids  for  locating  information  produced  by  the  agencies. 
Finally,  Section  8a (6)  (f)  recognizes  that  there  will  be  situations  where 
agencies  may  have  to  take  appropriate  steps  to  ensure  that  members  of  the 
public  with  disabilities  whom  the  agency  has  a  responsibility  to  inform  have  a 
reasonable  ability  to  access  the  information  dissemination  products. 

Depository  Library  Program.  Sections  8a  (6)  (g)  and  (h)  pertain  to  the  Federal 
Depository  Library  Program.  Agencies  are  to  establish  procedures  to  ensure 
compliance  with  44  U.S.C.  1902,  which  requires  that  government  publications 
(defined  in  44  U.S.C.  1901  and  repeated  in  Section  6  of  the  Circular)  be  made 
available  to  depository  libraries  through  the  Government  Printing  Office 
(GPO)  . 

Depository  libraries  are  major  partners  with  the  Federal  Government  in  the 
dissemination  of  information  and  contribute  significantly  to  the  diversity  of 
information  sources  available  to  the  public.  They  provide  a  mechanism  for 
wide  distribution  of  government  information  that  guarantees  basic  availability 
to  the  public.  Executive  branch  agencies  support  the  depository  library 
program  both  as  a  matter  of  law  and  on  its  merits  as  a  means  of  informing  the 
public  about  the  government.  On  the  other  hand,  the  law  places  the 
administration  of  depository  libraries  with  GPO.  Agency  responsibility  for 
the  depository  libraries  is  limited  to  supplying  government  publications 
through  GPO. 

Agencies  can  improve  their  performance  in  providing  government  publications  as 
well  as  electronic  information  dissemination  products  to  the  depository 
library  program.  For  example,  the  proliferation  of  "desktop  publishing" 
technology  in  recent  years  has  afforded  the  opportunity  for  many  agencies  to 
produce  their  own  printed  documents.  Many  such  documents  may  properly  belong 
in  the  depository  libraries  but  are  not  sent  because  they  are  not  printed  at 
GPO.  The  policy  requires  agencies  to  establish  management  controls  to  ensure 
that  the  appropriate  documents  reach  the  GPO  for  inclusion  in  the  depository 
library  program. 

At  present,  few  agencies  provide  electronic  information  dissemination  products 
to  the  depository  libraries.  At  the  same  time,  a  small  but  growing  number  of 
information  dissemination  products  are  disseminated  only  in  electronic  format. 


OMB  believes  that,  as  a  matter  of  policy,  electronic  information 
dissemination  products  generally  should  be  provided  to  the  depository 
libraries.  Given  that  production  and  supply  of  information  dissemination 
products  to  the  depository  libraries  is  primarily  the  responsibility  of  GPO, 
agencies  should  provide  appropriate  electronic  information  dissemination 
products  to  GPO  for  inclusion  in  the  depository  library  program. 

While  cost  may  be  a  consideration,  agencies  should  not  conclude  without 
investigation  that  it  would  be  prohibitively  expensive  to  place  their 
electronic  information  dissemination  products  in  the  depository  libraries. 

For  electronic  information  dissemination  products  other  than  on-line  services, 
agencies  may  have  the  option  of  having  GPO  produce  the  information 
dissemination  product  for  them,  in  which  case  GPO  would  pay  for  depository 
library  costs.  Agencies  should  consider  this  option  if  it  would  be  a  cost 
effective  alternative  to  the  agency  making  its  own  arrangements  for  production 


of  the  information  dissemination  product.  Using  GPO's  services  in  this  manner 
is  voluntary  and  at  the  agency's  discretion.  Agencies  could  also  consider 
negotiating  other  terms,  such  as  inviting  GPO  to  participate  in  agency 
procurement  orders  in  order  to  distribute  the  necessary  copies  for  the 
depository  libraries.  With  adequate  advance  planning,  agencies  should  be  able 
to  provide  electronic  information  dissemination  products  to  the  depository 
libraries  at  nominal  cost. 

In  a  particular  case,  substantial  cost  may  be  a  legitimate  reason  for  not 
providing  an  electronic  information  dissemination  product  to  the  depository 
library  program.  For  example,  for  an  agency  with  a  substantial  number  of 
existing  titles  of  electronic  information  dissemination  products,  furnishing 
copies  of  each  to  the  depository  libraries  could  be  prohibitively  expensive. 

In  that  situation,  the  agency  should  endeavor  to  make  available  those  titles 
with  the  greatest  general  interest,  value,  and  utility  to  the  public. 
Substantial  cost  could  also  be  an  impediment  in  the  case  of  some  on-line 
information  services  where  the  costs  associated  with  operating  centralized 
databases  would  make  provision  of  unlimited  direct  access  to  numerous  users 
prohibitively  expensive.  In  both  cases,  agencies  should  consult  with  the  GPO, 
in  order  to  identify  those  information  dissemination  products  with  the 
greatest  public  interest  and  utility  for  dissemination.  In  all  cases, 
however,  where  an  agency  discontinues  publication  of  an  information 
dissemination  product  in  paper  format  in  favor  of  electronic  formats,  the 
agency  should  work  with  the  GPO  to  ensure  availability  of  the  information 
dissemination  product  to  depository  libraries. 

Notice  to  the  Public.  Sections  8a  (6)  (i)  and  (j)  present  new  practices  for 
agencies  to  observe  in  communicating  with  the  public  about  information 
dissemination.  Among  agencies'  responsibilities  for  dissemination  is  an 
active  knowledge  of,  and  regular  consultation  with,  the  users  of  their 
information  dissemination  products.  A  primary  reason  for  communication  with 
users  is  to  gain  their  contribution  to  improving  the  quality  and  relevance  of 
government  information  —  how  it  is  created,  collected,  and  disseminated. 
Consultations  with  users  might  include  participation  at  conferences  and 
workshops,  careful  attention  to  correspondence  and  telephone  communications 
(e.g.,  logging  and  analyzing  inquiries),  or  formalized  user  surveys. 

A  key  part  of  communicating  with  the  public  is  providing  adequate  notice  of 
agency  information  dissemination  plans.  Because  agencies'  information 
dissemination  actions  affect  other  agencies  as  well  as  the  public,  agencies 
must  forewarn  other  agencies  of  significant  actions.  The  decision  to 
initiate,  terminate,  or  substantially  modify  the  content,  form,  frequency,  or 
availability  of  significant  products  should  also  trigger  appropriate  advance 
public  notice.  Where  appropriate,  the  Government  Printing  Office  should  be 
notified  directly.  Information  dissemination  products  deemed  not  to  be 
significant  require  no  advance  notice. 

Examples  of  significant  products  (or  changes  to  them)  might  be  those  that: 

(a)  are  required  by  law;  e.g.,  a  statutorily  mandated  report  to  Congress; 

(b)  involve  expenditure  of  substantial  funds; 

(c)  by  reason  of  the  nature  of  the  information,  are  matters  of  continuing 
public  interest;  e.g.,  a  key  economic  indicator; 


(d)  by  reason  of  the  time  value  of  the  information,  command  public  interest; 


e.g.,  monthly  crop  reports  on  the  day  of  their  release; 


(e)will  be  disseminated  in  a  new  format  or  medium;  e.g.,  disseminating  a 
printed  product  in  electronic  medium,  or  disseminating  a  machine-readable  data 
file  via  on-line  access. 

Where  members  of  the  public  might  consider  a  proposed  new  agency  product 
unnecessary  or  duplicative,  the  agency  should  solicit  and  evaluate  public 
comments.  Where  users  of  an  agency  information  dissemination  product  may  be 
seriously  affected  by  the  introduction  of  a  change  in  medium  or  format,  the 
agency  should  notify  users  and  consider  their  views  before  instituting  the 
change.  Where  members  of  the  public  consider  an  existing  agency  product 
important  and  necessary,  the  agency  should  consider  these  views  before 
deciding  to  terminate  the  product.  In  all  cases,  however,  determination  of 
what  is  a  significant  information  dissemination  product  and  what  constitutes 
adequate  notice  are  matters  of  agency  judgment. 

Achieving  Compliance  with  the  Circular's  Requirements.  Section  8a  (6)  (k) 
requires  that  the  agency  information  dissemination  management  system  ensure 
that,  to  the  extent  existing  information  dissemination  policies  or  practices 
are  inconsistent  with  the  requirements  of  this  Circular,  an  orderly  transition 
to  compliance  with  the  requirements  of  this  Circular  is  made.  For  example, 
some  agency  information  dissemination  products  may  be  priced  at  a  level  which 
exceeds  the  cost  of  dissemination,  or  the  agency  may  be  engaged  in  practices 
which  are  otherwise  unduly  restrictive.  In  these  instances,  agencies  must 
plan  for  an  orderly  transition  to  the  substantive  policy  requirements  of  the 
Circular.  The  information  dissemination  management  system  must  be  capable  of 
identifying  these  situations  and  planning  for  a  reasonably  prompt  transition. 
Instances  of  existing  agency  practices  which  cannot  immediately  be  brought 
into  conformance  with  the  requirements  of  the  Circular  are  to  be  addressed 
through  the  waiver  procedures  of  Section  10 (b) . 

Section  8a  (7)  .  Avoiding  Improperly  Restrictive  Practices.  Federal  agencies 
are  often  the  sole  suppliers  of  the  information  they  hold.  The  agencies  have 
either  created  or  collected  the  information  using  public  funds,  usually  in 
furtherance  of  unique  governmental  functions,  and  no  one  else  has  it.  Hence 
agencies  need  to  take  care  that  their  behavior  does  not  inappropriately 
constrain  public  access  to  government  information. 

When  agencies  use  private  contractors  to  accomplish  dissemination,  they  must 
take  care  that  they  do  not  permit  contractors  to  impose  restrictions  that 
undercut  the  agencies'  discharge  of  their  information  dissemination 
responsibilities.  The  contractual  terms  should  assure  that,  with  respect  to 
dissemination,  the  contractor  behaves  as  though  the  contractor  were  the 
agency.  For  example,  an  agency  practice  of  selling,  through  a  contractor,  on¬ 
line  access  to  a  database  but  refusing  to  sell  copies  of  the  database  itself 
may  be  improperly  restrictive  because  it  precludes  the  possibility  of  another 
firm  making  the  same  service  available  to  the  public  at  a  lower  price.  If  an 
agency  is  willing  to  provide  public  access  to  a  database,  the  agency  should  be 
willing  to  sell  copies  of  the  database  itself. 

By  the  same  reasoning,  agencies  should  behave  in  an  even-handed  manner  in 
handling  information  dissemination  products.  If  an  agency  is  willing  to  sell 
a  database  or  database  services  to  some  members  of  the  public,  the  agency 
should  sell  the  same  products  under  similar  terms  to  other  members  of  the 
public,  unless  prohibited  by  statute.  When  an  agency  decides  it  has  public 
policy  reasons  for  offering  different  terms  of  sale  to  different  groups  in  the 


public,  the  agency  should  provide  a  clear  statement  of  the  policy  and  its 
basis . 


Agencies  should  not  attempt  to  exert  control  over  the  secondary  uses  of  their 
information  dissemination  products.  In  particular,  agencies  should  not 
establish  exclusive,  restricted,  or  other  distribution  arrangements  which 
interfere  with  timely  and  equitable  availability  of  information  dissemination 
products,  and  should  not  charge  fees  or  royalties  for  the  resale  or 
redissemination  of  government  information.  These  principles  follow  from  the 
fact  that  the  law  prohibits  the  Federal  Government  from  exercising  copyright. 


Agencies  should  inform  the  public  as  to  the  limitations  inherent  in  the 
information  dissemination  product  (e.g.,  possibility  of  errors,  degree  of 
reliability,  and  validity)  so  that  users  are  fully  aware  of  the  quality  and 
integrity  of  the  information.  If  circumstances  warrant,  an  agency  may  wish  to 
establish  a  procedure  by  which  disseminators  of  the  agency's  information  may 
at  their  option  have  the  data  and/or  value-added  processing  checked  for 
accuracy  and  certified  by  the  agency.  Using  this  method,  redisseminators  of 
the  data  would  be  able  to  respond  to  the  demand  for  integrity  from  purchasers 
and  users.  This  approach  could  be  enhanced  by  the  agency  using  its  authority 
to  trademark  its  information  dissemination  product,  and  requiring  that 
redisseminators  who  wish  to  use  the  trademark  agree  to  appropriate  integrity 
procedures.  These  methods  have  the  possibility  of  promoting  diversity,  user 
responsiveness,  and  efficiency  as  well  as  integrity.  However,  an  agency's 
responsibility  to  protect  against  misuse  of  a  government  information 
dissemination  product  does  not  extend  to  restricting  or  regulating  how  the 
public  actually  uses  the  information. 

The  Lanham  Trademark  Act  of  1946,  15  U.S.C.  1055,  1125,  1127,  provides  an 
efficient  method  to  address  legitimate  agency  concerns  regarding  public 
safety.  Specifically,  the  Act  permits  a  trademark  owner  to  license  the  mark, 
and  to  demand  that  the  user  maintain  appropriate  quality  controls  over 
products  reaching  consumers  under  the  mark.  See  generally,  McCarthy  on 
Trademarks,  Sec.  18.13.  When  a  trademark  owner  licenses  the  trademark  to 
another,  it  may  retain  the  right  to  control  the  quality  of  goods  sold  under 
the  trademark  by  the  licensee.  Furthermore,  if  a  licensee  sells  goods  under 
the  licensed  trademark  in  breach  of  the  licensor's  quality  specifications,  the 
licensee  may  be  liable  for  breach  of  contract  as  well  as  for  trademark 
infringement.  This  technique  is  increasingly  being  used  to  assure  the 
integrity  of  digital  information  dissemination  products.  For  example,  the 
Census  Bureau  has  trademarked  its  topologically  integrated  geographic  encoding 
and  referencing  data  product  ( "TIGER/Line" ) ,  which  is  used  as  official  source 
data  for  legislative  districting  and  other  sensitive  applications. 

Whenever  a  need  for  special  quality  control  procedures  is  identified,  agencies 
should  adopt  the  least  burdensome  methods  and  ensure  that  the  methods  chosen 
do  not  establish  an  exclusive,  restricted,  or  other  distribution  arrangement 
that  interferes  with  timely  and  equitable  availability  of  public  information 
to  the  public.  Agencies  should  not  attempt  to  condition  the  resale  or 
redissemination  of  its  information  dissemination  products  by  members  of  the 
public . 

User  charges.  Title  5  of  the  Independent  Offices  Appropriations  Act  of  1952 
(31  U.S.C.  9701)  establishes  Federal  policy  regarding  fees  assessed  for 
government  services,  and  for  sale  or  use  of  government  property  or  resources. 
OMB  Circular  No.  A-25,  User  Charges,  implements  the  statute.  It  provides  for 


charges  for  government  goods  and  services  that  convey  special  benefits  to 
recipients  beyond  those  accruing  to  the  general  public.  It  also  establishes 
that  user  charges  should  be  set  at  a  level  sufficient  to  recover  the  full  cost 
of  providing  the  service,  resource,  or  property.  Since  Circular  No.  A-25  is 
silent  as  to  the  extent  of  its  application  to  government  information 
dissemination  products,  full  cost  recovery  for  information  dissemination 
products  might  be  interpreted  to  include  the  cost  of  collecting  and  processing 
information  rather  than  just  the  cost  of  dissemination.  The  policy  in  Section 
8a (7) (c)  clarifies  the  policy  of  Circular  No.  A-25  as  it  applies  to 
information  dissemination  products.  This  policy  was  codified  by  the  Paperwork 
Reduction  Act  of  1995  at  35  U.S.C.  Section  3506(d) (4) (D) . 

Statutes  such  as  FOIA  and  the  Government  in  the  Sunshine  Act  establish  a  broad 
and  general  obligation  on  the  part  of  Federal  agencies  to  make  government 
information  available  to  the  public  and  to  avoid  erecting  barriers  that  impede 
public  access.  User  charges  higher  than  the  cost  of  dissemination  may  be  a 
barrier  to  public  access.  The  economic  benefit  to  society  is  maximized  when 
government  information  is  publicly  disseminated  at  the  cost  of  dissemination. 
Absent  statutory  requirements  to  the  contrary,  the  general  standard  for  user 
charges  for  government  information  dissemination  products  should  be  to  recover 
no  more  than  the  cost  of  dissemination.  It  should  be  noted  in  this  connection 
that  the  government  has  already  incurred  the  costs  of  creating  and  processing 
the  information  for  governmental  purposes  in  order  to  carry  out  its  mission. 

Underpinning  this  standard  is  the  FOIA  fee  structure  which  establishes  limits 
on  what  agencies  can  charge  for  access  to  Federal  records.  That  Act  permits 
agencies  to  charge  only  the  direct  reasonable  cost  of  search,  reproduction 
and,  in  certain  cases,  review  of  requested  records.  In  the  case  of  FOIA 
requests  for  information  dissemination  products,  charges  would  be  limited  to 
reasonable  direct  reproduction  costs  alone.  No  search  would  be  needed  to  find 
the  product,  thus  no  search  fees  would  be  charged.  Neither  would  the  record 
need  to  be  reviewed  to  determine  if  it  could  be  withheld  under  one  of  the 
Act's  exemptions  since  the  agency  has  already  decided  to  release  it.  Thus, 
FOIA  provides  an  information  "safety  net"  for  the  public. 

While  OMB  does  not  intend  to  prescribe  procedures  for  pricing  government 
information  dissemination  products,  the  cost  of  dissemination  may  generally  be 
thought  of  as  the  sum  of  all  costs  specifically  associated  with  preparing  a 
product  for  dissemination  and  actually  disseminating  it  to  the  public.  When 
an  agency  prepares  an  information  product  for  its  own  internal  use,  costs 
associated  with  such  production  would  not  generally  be  recoverable  as  user 
charges  on  subsequent  dissemination.  When  the  agency  prepares  the  product  for 
public  dissemination,  and  disseminates  it,  costs  associated  with  preparation 
and  actual  dissemination  would  be  recoverable  as  user  charges. 

In  the  case  of  government  databases  which  are  made  available  to  the  public  on¬ 
line,  the  costs  associated  with  initial  database  development,  including  the 
costs  of  the  necessary  hardware  and  software,  would  not  be  included  in  the 
cost  of  dissemination.  Once  a  decision  is  made  to  disseminate  the  data, 
additional  costs  logically  associated  with  dissemination  can  be  included  in 
the  user  fee.  These  may  include  costs  associated  with  modification  of  the 
database  to  make  it  suitable  for  dissemination,  any  hardware  or  software 
enhancements  necessary  for  dissemination,  and  costs  associated  with  providing 
customer  service  or  telecommunications  capacity. 

In  the  case  of  information  disseminated  via  cd-rom,  the  costs  associated  with 
initial  database  development  would  likewise  not  be  included  in  the  cost  of 


dissemination.  However,  a  portion  of  the  costs  associated  with  formatting  the 
data  for  cd-rom  dissemination  and  the  costs  of  mastering  the  cd-rom,  could 
logically  be  included  as  part  of  the  dissemination  cost,  as  would  the  cost 
associated  with  licensing  appropriate  search  software. 

Determining  the  appropriate  user  fee  is  the  responsibility  of  each  agency,  and 
involves  the  exercise  of  judgment  and  reliance  on  reasonable  estimates. 
Agencies  should  be  able  to  explain  how  they  arrive  at  user  fees  which 
represent  average  prices  and  which,  given  the  likely  demand  for  the  product, 
can  be  expected  to  recover  the  costs  associated  with  dissemination. 

When  agencies  provide  custom  tailored  information  services  to  specific 
individuals  or  groups,  full  cost  recovery,  including  the  cost  of  collection 
and  processing,  is  appropriate.  For  example,  if  an  agency  prepares  special 
tabulations  or  similar  services  from  its  databases  in  answer  to  a  specific 
request  from  the  public,  all  costs  associated  with  fulfilling  the  request 
would  be  charged,  and  the  requester  should  be  so  informed  before  work  is 
begun . 

In  a  few  cases,  agencies  engaging  in  information  collection  activities  augment 
the  information  collection  at  the  request  of,  and  with  funds  provided  by, 
private  sector  groups.  Since  the  1920 's,  the  Bureau  of  the  Census  has  carried 
out,  on  request,  surveys  of  certain  industries  at  greater  frequency  or  at  a 
greater  level  of  detail  than  Federal  funding  would  permit,  because  gathering 
the  additional  information  is  consistent  with  Federal  purposes  and  industry 
groups  have  paid  the  additional  information  collection  and  processing  costs. 
While  the  results  of  these  surveys  are  disseminated  to  the  public  at  the  cost 
of  dissemination,  the  existence  and  availability  of  the  additional  government 
data  are  special  benefits  to  certain  recipients  beyond  those  accruing  to  the 
public.  It  is  appropriate  that  those  recipients  should  bear  the  full  costs  of 
information  collection  and  processing,  in  addition  to  the  normal  costs  of 
dissemination . 

Agencies  must  balance  the  requirement  to  establish  user  charges  and  the  level 
of  fees  charged  against  other  policies,  specifically,  the  proper  performance 
of  agency  functions  and  the  need  to  ensure  that  information  dissemination 
products  reach  the  public  for  whom  they  are  intended.  If  an  agency  mission 
includes  disseminating  information  to  certain  specific  groups  or  members  of 
the  public  and  the  agency  determines  that  user  charges  will  constitute  a 
significant  barrier  to  carrying  out  this  responsibility,  the  agency  may  have 
grounds  for  reducing  or  eliminating  its  user  charges  for  the  information 
dissemination  product,  or  for  exempting  some  recipients  from  the  charge.  Such 
reductions  or  eliminations  should  be  the  subject  of  agency  determinations  on  a 
case  by  case  basis  and  justified  in  terms  of  agency  policies. 

Section  8a  (8).  Electronic  Information  Dissemination.  Advances  in  information 
technology  have  changed  government  information  dissemination.  Agencies  now 
have  available  new  media  and  formats  for  dissemination,  including  CD-ROM, 
electronic  bulletin  boards,  and  public  networks.  The  growing  public 
acceptance  of  electronic  data  interchange  (EDI)  and  similar  standards  enhances 
their  attractiveness  as  methods  for  government  information  dissemination.  For 
example,  experiments  with  the  use  of  electronic  bulletin  boards  to  advertise 
Federal  contracting  opportunities  and  to  receive  vendor  quotes  have  achieved 
wider  dissemination  of  information  about  business  opportunities  with  the 
Federal  Government  than  has  been  the  case  with  traditional  notices  and 
advertisements.  Improved  information  dissemination  has  increased  the  number 
of  firms  expressing  interest  in  participating  in  the  government  market  and 


decreased  prices  to  the  government  due  to  expanded  competition.  In  addition, 
the  development  of  public  electronic  information  networks,  such  as  the 
Internet,  provides  an  additional  way  for  agencies  to  increase  the  diversity  of 
information  sources  available  to  the  public.  Emerging  applications  such  as 
Wide  Area  Information  Servers  and  the  World-wide  Web  (using  the  NISO  Z39.50 
standard)  will  be  used  increasingly  to  facilitate  dissemination  of  government 
information  such  as  environmental  data,  international  trade  information,  and 
economic  statistics  in  a  networked  environment. 

A  basic  purpose  of  the  PRA  is  to  "provide  for  the  dissemination  of  public 
information  on  a  timely  basis,  on  equitable  terms,  and  in  a  manner  that 
promotes  the  utility  of  the  information  to  the  public  and  makes  effective  use 
of  information  technology."  (44  U.S.C.  3501(7))  Agencies  can  frequently 
enhance  the  value,  practical  utility,  and  timeliness  of  government  information 
as  a  national  resource  by  disseminating  information  in  electronic  media. 
Electronic  collection  and  dissemination  may  substantially  increase  the 
usefulness  of  government  information  dissemination  products  for  three  reasons. 
First,  information  disseminated  electronically  is  likely  to  be  more  timely  and 
accurate  because  it  does  not  require  data  re-entry.  Second,  electronic 
records  often  contain  more  complete  and  current  information  because,  unlike 
paper,  it  is  relatively  easy  to  make  frequent  changes.  Finally,  because 
electronic  information  is  more  easily  manipulated  by  the  user  and  can  be 
tailored  to  a  wide  variety  of  needs,  electronic  information  dissemination 
products  are  more  useful  to  the  recipients. 

As  stated  at  Section  8a  (1)  (h) ,  agencies  should  use  voluntary  standards  and 
Federal  Information  Processing  Standards  to  the  extent  appropriate  in  order  to 
ensure  the  most  cost  effective  and  widespread  dissemination  of  information  in 
electronic  formats. 

Agencies  can  frequently  make  government  information  more  accessible  to  the 
public  and  enhance  the  utility  of  government  information  as  a  national 
resource  by  disseminating  information  in  electronic  media.  Agencies  generally 
do  not  utilize  data  in  raw  form,  but  edit,  refine,  and  organize  the  data  in 
order  to  make  it  more  accessible  and  useful  for  their  own  purposes. 

Information  is  made  more  accessible  to  users  by  aggregating  data  into  logical 
groupings,  tagging  data  with  descriptive  and  other  identifiers,  and  developing 
indexing  and  retrieval  systems  to  facilitate  access  to  particular  data  within 
a  larger  file.  As  a  general  matter,  and  subject  to  budgetary,  security  or 
legal  constraints,  agencies  should  make  available  such  features  developed  for 
internal  agency  use  as  part  of  their  information  dissemination  products. 

There  will  also  be  situations  where  the  agency  determines  that  its  mission 
will  be  furthered  by  providing  enhancements  beyond  those  needed  for  its  own 
use,  particularly  those  that  will  improve  the  public  availability  of 
government  information  over  the  long  term.  In  these  instances,  the  agency 
should  evaluate  the  expected  usefulness  of  the  enhanced  information  in  light 
of  its  mission,  and  where  appropriate  construct  partnerships  with  the  private 
sector  to  add  these  elements  of  value.  This  approach  may  be  particularly 
appropriate  as  part  of  a  strategy  to  utilize  new  technology  enhancements,  such 
as  graphic  images,  as  part  of  a  particular  dissemination  program. 

Section  8a  (9)  .  Information  Safeguards.  The  basic  premise  of  this  Section  is 
that  agencies  should  provide  an  appropriate  level  of  protection  to  government 
information,  given  an  assessment  of  the  risks  associated  with  its  maintenance 
and  use.  Among  the  factors  to  be  considered  include  meeting  the  specific 
requirements  of  the  Privacy  Act  of  1974  and  the  Computer  Security  Act  of  1987. 


In  particular,  agencies  are  to  ensure  that  they  meet  the  requirements  of  the 
Privacy  Act  regarding  information  retrievable  by  individual  identifier.  Such 
information  is  to  be  collected,  maintained,  and  protected  so  as  to  preclude 
intrusion  into  the  privacy  of  individuals  and  the  unwarranted  disclosure  of 
personal  information.  Individuals  must  be  accorded  access  and  amendment 
rights  to  records,  as  provided  in  the  Privacy  Act.  To  the  extent  that 
agencies  share  information  which  they  have  a  continuing  obligation  to  protect, 
agencies  should  see  that  appropriate  safeguards  are  instituted.  Appendix  I 
prescribes  agency  procedures  for  the  maintenance  of  records  about  individuals, 
reporting  requirements  to  OMB  and  Congress,  and  other  special  requirements  of 
specific  agencies,  in  accordance  with  the  Privacy  Act. 

This  Section  also  incorporates  the  requirement  of  the  Computer  Security  Act  of 
1987  that  agencies  plan  to  secure  their  systems  commensurate  with  the  risk  and 
magnitude  of  loss  or  harm  that  could  result  from  the  loss,  misuse,  or 
unauthorized  access  to  information  contained  in  those  systems.  It  includes 
assuring  the  integrity,  availability,  and  appropriate  confidentiality  of 
information.  It  also  involves  protection  against  the  harm  that  could  occur  to 
individuals  or  entities  outside  of  the  Federal  Government  as  well  as  the  harm 
to  the  Federal  Government.  Appendix  III  prescribes  a  minimum  set  of  controls 
to  be  included  in  Federal  automated  information  resources  security  programs 
and  assigns  Federal  agency  responsibilities  for  the  security  of  automated 
information  resources.  The  Section  also  includes  limits  on  collection  and 
sharing  of  information  and  procedures  to  assure  the  integrity  of  information 
as  well  as  requirements  to  adequately  secure  the  information. 

Incorporation  of  Circular  No.  A-114.  OMB  Circular  No.  A-114,  Management  of 
Federal  Audiovisual  Activities,  last  revised  on  March  20,  1985,  prescribed 
policies  and  procedures  to  improve  Federal  audiovisual  management.  Although 
OMB  has  rescinded  Circular  No.  A-114,  its  essential  policies  and  procedures 
continue.  This  revision  provides  information  resources  management  policies 
and  principles  independent  of  medium,  including  paper,  electronic,  or 
audiovisual.  By  including  the  term  "audiovisual"  in  the  definition  of 
"information,"  audiovisual  materials  are  incorporated  into  all  policies  of 
this  Circular. 

The  requirement  in  Circular  No.  A-114  that  the  head  of  each  agency  designate 
an  office  with  responsibility  for  the  management  oversight  of  an  agency's 
audiovisual  productions  and  that  an  appropriate  program  for  the  management  of 
audiovisual  productions  in  conformance  with  36  CFR  1232.4  is  incorporated  into 
this  Circular  at  Section  9a  (10)  .  The  requirement  that  audiovisual  activities 
be  obtained  consistent  with  OMB  Circular  No.  A-76  is  covered  by  Sections 
8a ( 1 )  (d) ,  8a  (5)  (d)  (i)  and  8a(6)  (b) . 

The  National  Archives  and  Records  Administration  will  continue  to  prescribe 
the  records  management  and  archiving  practices  of  agencies  with  respect  to 
audiovisual  productions  at  36  CFR  1232.4,  "Audiovisual  Records  Management." 


Section  8b.  Information  Systems  and  Information  Technology  Management 


Section  8b (1) .  Evaluation  and  Performance  Measurement.  OMB  encourages 
agencies  to  stress  several  types  of  evaluation  in  their  oversight  of 
information  systems.  As  a  first  step,  agencies  must  assess  the  continuing 
need  for  the  mission  function.  If  the  agency  determines  there  is  a  continuing 
need  for  a  function,  agencies  should  reevaluate  existing  work  processes  prior 
to  creating  new  or  updating  existing  information  systems.  Without  this 
analysis,  agencies  tend  to  develop  information  systems  that  improve  the 
efficiency  of  traditional  paper-based  processes  which  may  be  no  longer  needed. 
The  application  of  information  technology  presents  an  opportunity  to 
reevaluate  existing  organizational  structures,  work  processes,  and  ways  of 
interacting  with  the  public  to  see  whether  they  still  efficiently  and 
effectively  support  the  agency's  mission. 

Benefit-cost  analyses  provide  vital  management  information  on  the  most 
efficient  allocation  of  human,  financial,  and  information  resources  to  support 
agency  missions.  Agencies  should  conduct  a  benefit-cost  analysis  for  each 
information  system  to  support  management  decision  making  to  ensure:  (a) 
alignment  of  the  planned  information  system  with  the  agency's  mission  needs; 

(b)  acceptability  of  information  system  implementation  to  users  inside  the 
Government;  (c)  accessibility  to  clientele  outside  the  Government;  and  (d) 
realization  of  projected  benefits.  When  preparing  benefit-cost  analyses  to 
support  investments  in  information  technology,  agencies  should  seek  to 
quantify  the  improvements  in  agency  performance  results  through  the 
measurement  of  program  outputs. 

The  requirement  to  conduct  a  benefit-cost  analysis  need  not  become  a 
burdensome  activity  for  agencies.  The  level  of  detail  necessary  for  such 
analyses  varies  greatly  and  depends  on  the  nature  of  the  proposed  investment. 
Proposed  investments  in  "major  information  systems"  as  defined  in  this 
Circular  require  detailed  and  rigorous  analysis.  This  analysis  should  not 
merely  serve  as  budget  justification  material,  but  should  be  part  of  the 
ongoing  management  oversight  process  to  ensure  prudent  allocation  of  scarce 
resources.  Proposed  investments  for  information  systems  that  are  not 
considered  "major  information  systems"  should  be  analyzed  and  documented  more 
informally . 

While  it  is  not  necessary  to  create  a  new  benefit-cost  analysis  at  each  stage 
of  the  information  system  life  cycle,  it  is  useful  to  refresh  these  analyses 
with  up-to-date  information  to  ensure  the  continued  viability  of  an 
information  system  prior  to  and  during  implementation.  Reasons  for  updating  a 
benefit-cost  analysis  may  include  such  factors  as  significant  changes  in 
projected  costs  and  benefits,  significant  changes  in  information  technology 
capabilities,  major  changes  in  requirements  (including  legislative  or 
regulatory  changes),  or  empirical  data  based  on  performance  measurement  gained 
through  prototype  results  or  pilot  experience. 

Agencies  should  also  weigh  the  relative  benefits  of  proposed  investments  in 
information  technology  across  the  agency.  Given  the  fiscal  constraints  facing 
the  Federal  government  in  the  upcoming  years,  agencies  should  fund  a  portfolio 
of  investments  across  the  agency  that  maximizes  return  on  investment  for  the 
agency  as  a  whole.  Agencies  should  also  emphasize  those  proposed  investments 
that  show  the  greatest  probability  (i.e.,  display  the  lowest  financial  and 
operational  risk)  of  achieving  anticipated  benefits  for  the  organization.  OMB 
and  GAO  are  creating  a  publication  that  will  provide  agencies  with  reference 
materials  for  setting  up  such  evaluation  processes. 


Agencies  should  complete  a  retrospective  evaluation  of  information  systems 
once  operational  to  validate  projected  savings,  changes  in  practices,  and 
effectiveness  in  serving  affected  publics.  These  post-implementation  reviews 
may  also  serve  as  the  basis  for  agency-wide  learning  about  effective 
management  practices. 

Section  8b (2) .  Strategic  Information  Resources  Management  (IRM)  Planning. 
Agencies  should  link  to,  and  to  the  extent  possible,  integrate  IRM  planning 
with  the  agency  strategic  planning  required  by  the  Government  Performance  and 
Results  Act  (P.L.  103-62) .  Such  a  linkage  ensures  that  agencies  apply 
information  resources  to  programs  that  support  the  achievement  of  agreed-upon 
mission  goals.  Additionally,  strategic  IRM  planning  by  agencies  may  help 
avoid  automating  out-of-date,  ineffective,  or  inefficient  procedures  and  work 
processes . 

Agencies  should  also  devote  management  attention  to  operational  information 
resources  management  planning.  This  operational  IRM  planning  should  provide  a 
one  to  five  year  focus  to  agency  IRM  activities  and  projects.  Agency 
operational  IRM  plans  should  also  provide  a  listing  of  the  major  information 
systems  covered  by  the  management  oversight  processes  described  in  Section 
8b (3) .  Agency  operational  planning  for  IRM  should  also  communicate  to  the 
public  how  the  agency's  application  of  information  resources  might  affect 
them.  For  the  contractor  community,  this  includes  articulating  the  agency's 
intent  to  acquire  information  technology  from  the  private  sector.  These  data 
should  not  be  considered  acquisition  sensitive,  so  that  they  can  be 
distributed  as  widely  as  possible  to  the  vendor  community  in  order  to  promote 
competition.  Agencies  should  make  these  acquisition  plans  available  to  the 
public  through  government-wide  information  dissemination  mechanisms,  including 
electronic  means. 

Operational  planning  should  also  include  initiatives  to  reduce  the  burden, 
including  information  collection  burden,  an  agency  imposes  on  the  public.  Too 
often,  for  example,  agencies  require  personal  visits  to  government  offices 
during  office  hours  inconvenient  to  the  public.  Instead,  agencies  should  plan 
to  use  information  technology  in  ways  that  make  the  public's  dealing  with  the 
Federal  government  as  "user-friendly"  as  possible. 

Each  year,  OMB  issues  a  bulletin  requesting  copies  of  agencies'  latest 
strategic  IRM  plans  and  annual  updates  to  operational  plans  for  information 
and  information  technology. 

Section  8b (3) .  Information  Systems  Management  Oversight.  Agencies  should 
consider  what  constitutes  a  "major  information  system"  for  purposes  of  this 
Circular  when  determining  the  appropriate  level  of  management  attention  for  an 
information  system.  The  anticipated  dollar  size  of  an  information  system  or  a 
supporting  acquisition  is  only  one  determinant  of  the  level  of  management 
attention  an  information  system  requires.  Additional  criteria  to  assess 
include  the  maturity  and  stability  of  the  technology  under  consideration,  how 
well  defined  user  requirements  are,  the  level  of  stability  of  program  and  user 
requirements,  and  security  concerns. 

For  instance,  certain  risky  or  "cutting-edge"  information  systems  require 
closer  scrutiny  and  more  points  of  review  and  evaluation.  This  is 
particularly  true  when  an  agency  uses  an  evolutionary  life  cycle  strategy  that 
requires  a  technical  and  financial  evaluation  of  the  project's  viability  at 
prototype  and  pilot  testing  phases.  Projects  relying  on  commercial  off-the- 


shelf  technology  and  applications  will  generally  require  less  oversight  than 
those  using  custom-designed  software. 


While  each  phase  of  an  information  system  life  cycle  may  have  unique 
characteristics,  the  dividing  line  between  the  phases  may  not  always  be 
distinct.  For  instance,  both  planning  and  evaluation  should  continue 
throughout  the  information  system  life  cycle.  In  fact,  during  any  phase,  it 
may  be  necessary  to  revisit  the  previous  stages  based  on  new  information  or 
changes  in  the  environment  in  which  the  system  is  being  developed. 

The  policy  statements  in  this  Circular  describe  an  information  system  life 
cycle.  It  does  not,  however,  make  a  definitive  statement  that  there  must  be 
four  versus  five  phases  of  a  life  cycle  because  the  life  cycle  varies  by  the 
nature  of  the  information  system.  Only  two  phases  are  common  to  all 
information  systems  -  a  beginning  and  an  end.  As  a  result,  life  cycle 
management  techniques  that  agencies  can  use  may  vary  depending  on  the 
complexity  and  risk  inherent  in  the  project. 

One  element  of  this  management  oversight  policy  is  the  recognition  of  imbedded 
and/or  parallel  life  cycles.  Within  an  information  system's  life  cycle  there 
may  be  other  subsidiary  life  cycles.  For  instance,  most  Federal  information 
systems  projects  include  an  acquisition  of  goods  and  services  that  have  life 
cycle  characteristics.  Some  projects  include  software  development  components, 
which  also  have  life  cycles.  Effective  management  oversight  of  major 
information  systems  requires  a  recognition  of  all  these  various  life  cycles 
and  an  integrated  information  systems  management  oversight  with  the  budget  and 
human  resource  management  cycles  that  exist  in  the  agency. 

Section  8b (2)  of  the  Circular  underscores  the  need  for  agencies  to  bring  an 
agency-wide  perspective  to  a  number  of  information  resources  management 
issues.  These  issues  include  policy  formulation,  planning,  management  and 
technical  frameworks  for  using  information  resources,  and  management  oversight 
of  major  information  systems.  Agencies  should  also  provide  for  coordinated 
decision  making  (Section  8b (3) (f))  in  order  to  bring  together  the  perspectives 
from  across  an  agency,  and  outside  if  appropriate.  Such  coordination  may  take 
place  in  an  agency-wide  management  or  IRM  committee.  Interested  groups 
typically  include  functional  users,  managers  of  financial  and  human  resources, 
information  resources  management  specialists,  and,  as  appropriate,  the 
affected  public. 

Section  8b (4) .  Use  of  Information  Resources.  Agency  management  of 
information  resources  should  be  guided  by  management  and  technical  frameworks 
for  agency-wide  information  and  information  technology  needs.  The  technical 
framework  should  serve  as  a  reference  for  updates  to  existing  and  new 
information  systems.  The  management  framework  should  assure  the  integration 
of  proposed  information  systems  projects  into  the  technical  framework  in  a 
manner  that  will  ensure  progress  towards  achieving  an  open  systems 
environment.  Agency  strategic  IRM  planning  should  describe  the  parameters 
(e.g.,  technical  standards)  of  such  a  technical  framework.  The  management 
framework  should  drive  operational  planning  and  should  describe  how  the  agency 
intends  to  use  information  and  information  technology  consistent  with  the 
technical  framework. 

Agency  management  and  technical  frameworks  for  information  resources  should 
address  agency  strategies  to  move  toward  an  open  systems  environment.  These 
strategies  should  consist  of  one  or  multiple  profiles  (an  internally 
consistent  set  of  standards),  based  on  the  current  version  of  the  NIST's 


Application  Portability  Profile.  These  profiles  should  satisfy  user 
requirements,  accommodate  officially  recognized  or  de  facto  standards,  and 
promote  interoperability,  application  portability,  and  scalability  by  defining 
interfaces,  services,  protocols,  and  data  formats  favoring  the  use  of 
nonproprietary  specifications. 

Agencies  should  focus  on  how  to  better  utilize  the  data  they  currently  collect 
from  the  public.  Because  agencies  generally  do  not  share  information,  the 
public  often  must  respond  to  duplicative  information  collections  from  various 
agencies  or  their  components.  Sharing  of  information  about  individuals  should 
be  consistent  with  the  Privacy  Act  of  1974,  as  amended,  and  Appendix  I  of  this 
Circular . 

Services  provided  by  IPSOs  to  components  of  their  own  agency  are  often 
perceived  to  be  "free"  by  the  service  recipients  because  their  costs  are 
budgeted  as  an  "overhead"  charge.  Service  recipients  typically  do  not  pay  for 
IPSO  services  based  on  actual  usage.  Since  the  services  are  perceived  to  be 
free,  there  is  very  little  incentive  for  either  the  service  recipients  or  the 
IPSO  managers  to  be  watchful  for  opportunities  to  improve  productivity  or  to 
reduce  costs.  Agencies  are  encouraged  to  institute  chargeback  mechanisms  for 
IPSOs  that  provide  common  information  processing  services  across  a  number  of 
agency  components  when  the  resulting  economies  are  expected  to  exceed  the  cost 
of  administration. 

Section  8b (5) .  Acquisition  of  Information  Technology.  Consistent  with  the 
requirements  of  the  Brooks  Act  and  the  Paperwork  Reduction  Act,  agencies 
should  acquire  information  technology  to  improve  service  delivery,  reduce  the 
cost  of  Federal  program  administration,  and  minimize  burden  of  dealing  with 
the  Federal  government.  Agencies  may  wish  to  ask  potential  offerors  to 
propose  different  technical  solutions  and  approaches  to  fulfilling  agency 
mission  requirements.  Evaluating  acquisitions  of  information  technology  must 
assess  both  the  benefits  and  costs  of  applying  technology  to  meet  such 
requirements . 

The  distinction  between  information  system  life  cycles  and  acquisition  life 
cycles  is  important  when  considering  the  implications  of  OMB  Circular  A-109, 
Acquisition  of  Major  Systems,  to  the  acquisition  of  information  resources. 
Circular  A-109  presents  one  strategy  for  acquiring  information  technology 
when  : 

i)  The  agency  intends  to  fund  operational  tests  and  demonstrations  of  system 
design ; 

ii)  The  risk  is  high  due  to  the  unproven  integration  of  custom  designed 
software  and/or  hardware  components; 

iii)  The  estimated  cost  savings  or  operational  improvements  from  such  a 
demonstration  will  further  improve  the  return  on  investment;  or 

iv)  The  agency  wants  to  acquire  a  solution  based  on  state-of-the-art,  unproven 
technology . 

Agencies  should  comply  with  OMB  Circular  A-76,  Performance  of  Commercial 
Activities,  when  considering  conversion  to  or  from  in-house  or  contract 
performance . 


Agencies  should  ensure  that  acquisitions  for  new  information  technology  comply 


with  GSA  regulations  concerning  information  technology  accessibility  for 
individuals  with  disabilities  [41  C.F.R.  201-20.103-7], 

Section  9a  (11)  .  Ombudsman.  The  senior  agency  official  designated  by  the  head 
of  each  agency  under  44  U.S.C.  3506(a)  is  charged  with  carrying  out  the 
responsibilities  of  the  agency  under  the  PRA.  Agency  senior  information 
resources  management  officials  are  responsible  for  ensuring  that  their  agency 
practices  are  in  compliance  with  OMB  policies.  It  is  envisioned  that  the 
agency  senior  information  resources  management  official  will  work  as  an 
ombudsman  to  investigate  alleged  instances  of  agency  failure  to  adhere  to  the 
policies  set  forth  in  the  Circular  and  to  recommend  or  take  corrective  action 
as  appropriate.  Agency  heads  should  continue  to  use  existing  mechanisms  to 
ensure  compliance  with  laws  and  policies. 

Section  9b.  International  Relationships.  The  information  policies  contained 
in  the  PRA  and  Circular  A-130  are  based  on  the  premise  that  government 
information  is  a  valuable  national  resource,  and  that  the  economic  benefits  to 
society  are  maximized  when  government  information  is  available  in  a  timely  and 
equitable  manner  to  all.  Maximizing  the  benefits  of  government  information  to 
society  depends,  in  turn,  on  fostering  diversity  among  the  entities  involved 
in  disseminating  it.  These  include  for-profit  and  not-for-profit  entities, 
such  as  information  vendors  and  libraries,  as  well  as  State,  local  and  tribal 
governments.  The  policies  on  charging  the  cost  of  dissemination  and  against 
restrictive  practices  contained  in  the  PRA  and  Circular  A-130  are  aimed  at 
achieving  this  goal. 

Other  nations  do  not  necessarily  share  these  values.  Although  an  increasing 
number  are  embracing  the  concept  of  equitable  and  unrestricted  access  to 
public  information  —  particularly  scientific,  environmental,  and  geographic 
information  of  great  public  benefit  —  other  nations  are  treating  their 
information  as  a  commodity  to  be  ^commercialized^).  Whereas  the  Copyright  Act, 
17  U.S.C.  105,  has  long  provided  that  "[c]opyright  protection  under  this  title 
is  not  available  for  any  work  of  the  United  States  Government,"  some  other 
nations  take  advantage  of  their  domestic  copyright  laws  that  do  permit 
government  copyright  and  assert  a  monopoly  on  certain  categories  of 
information  in  order  to  maximize  revenues.  Such  arrangements  tend  to  preclude 
other  entities  from  developing  markets  for  the  information  or  otherwise 
disseminating  the  information  in  the  public  interest. 

Thus,  Federal  agencies  involved  in  international  data  exchanges  are  sometimes 
faced  with  problems  in  disseminating  data  stemming  from  differing  national 
treatment  of  government  copyright.  For  example,  one  country  may  attempt  to 
condition  the  sharing  of  data  with  a  Federal  agency  on  an  agreement  that  the 
agency  will  withhold  release  of  the  information  or  otherwise  restrict  its 
availability  to  the  public.  Since  the  Freedom  of  Information  Act  does  not 
provide  a  categorical  exemption  for  copyrighted  information,  and  Federal 
agencies  have  neither  the  authority  nor  capability  to  enforce  restrictions  on 
behalf  of  other  nations,  agencies  faced  with  such  restrictive  conditions  lack 
clear  guidance  as  to  how  to  respond. 

The  results  of  the  July  1995  Congress  of  the  World  Meteorological 
Organization,  which  sought  to  strike  a  balance  of  interests  in  this  area,  are 
instructive.  Faced  with  a  resolution  which  would  have  essentially  required 
member  nations  to  enforce  restrictions  on  certain  categories  of  information 
for  the  commercial  benefit  of  other  nations,  the  United  States  proposed  a 
compromise  which  was  ultimately  accepted.  The  compromise  explicitly  affirmed 
the  general  principle  that  government  meteorological  information  —  like  all 


other  scientific,  technical  and  environmental  information  —  should  be  shared 
globally  without  restriction;  but  recognized  that  individual  nations  may  in 
particular  cases  apply  their  own  domestic  copyright  and  similar  laws  to 
prevent  what  they  deem  to  be  unfair  or  inappropriate  competition  within  their 
own  territories.  This  compromise  leaves  open  the  door  for  further 
consultation  as  to  whether  the  future  of  government  information  policy  in  a 
global  information  infrastructure  should  follow  the  ]popen  and  unrestricted 
access]p  model  embraced  by  the  United  States  and  a  number  of  other  nations,  or 
if  it  should  follow  the  ^government  commercialization^  model  of  others. 

Accordingly,  since  the  PRA  and  Circular  A-130  are  silent  as  to  how  agencies 
should  respond  to  similar  situations,  we  are  providing  the  following 
suggestions.  They  are  intended  to  foster  globally  the  open  and  unrestricted 
information  policy  embraced  by  the  United  States  and  like  minded  nations, 
while  permitting  agencies  to  have  access  to  data  provided  by  foreign 
governments  with  restrictive  conditions. 

Release  by  a  Federal  agency  of  copyrighted  information,  whether  under  a  FOIA 
request  or  otherwise,  does  not  affect  any  rights  the  copyright  holder  might 
otherwise  possess.  Accordingly,  agencies  should  inform  any  concerned  foreign 
governments  that  their  copyright  claims  may  be  enforceable  under  United  States 
law,  but  that  the  agency  is  not  authorized  to  prosecute  any  such  claim  on 
behalf  of  the  foreign  government. 

Whenever  an  agency  seeks  to  negotiate  an  international  agreement  in  which  a 
foreign  party  seeks  to  impose  restrictive  practices  on  information  to  be 
exchanged,  the  agency  should  first  coordinate  with  the  State  Department.  The 
State  Department  will  work  with  the  agency  to  develop  the  least  restrictive 
terms  consistent  with  United  States  policy,  and  ensure  that  those  terms 
receive  full  interagency  clearance  through  the  established  process  for 
granting  agencies  authority  to  negotiate  and  conclude  international 
agreements . 

Finally,  whenever  an  agency  is  attending  meetings  of  international  or 
multilateral  organizations  where  restrictive  practices  are  being  proposed  as 
binding  on  member  states,  the  agency  should  coordinate  with  the  State 
Department,  the  Office  of  Management  and  Budget,  the  Office  of  Science  and 
Technology  Policy,  or  the  U.S.  Trade  Representative,  as  appropriate,  before 
expressing  a  position  on  behalf  of  the  United  States. 


